Dedicated to providing the latest
HIPAA compliance news

PHI of 1,615 Medicaid Patients Potentially Exposed by NC DHHS

Share this article on:

The North Carolina Department of Health and Human Services (NCDHHS) has started sending breach notification letters to 1,615 patients alerting them to a breach of their Protected Health Information (PHI), following an internal breach of security protocol.

NCDHHS Spokeswoman, Kendra Gerlach, issued a statement yesterday announcing the data breach, which occurred on August 19, 2015. Under the regulations laid down by the Health Insurance Portability and Accountability Act’s Breach Notification Rule, covered entities are allowed up to 60 days to alert the Office for Civil Rights, media, and patients of PHI. This is a maximum time limit. The Breach Notification Rule also says that notices must be issued to patients without unreasonable delay.

The notice was issued very close to the 60-day deadline, although the delay was explained by Gerlach as being necessary as NCDHHS “must investigate thoroughly and ensure there is full understanding before determining next steps [to take].”

The security breach was caused when an employee sent an email to the Granville County Health Department, which contained a spreadsheet in which was listed information relating to Medicaid services provided to patients, along with provider names, provider ID numbers, Medicaid Identification numbers, and patients’ first and last names. While 1,615 patients potentially had their PHI exposed, only two Social Security numbers were present in the spreadsheet. The reason being, the two affected patients had used them as their Medicaid ID numbers. No dates of birth were exposed in the security breach.

There is no reason to suggest that the email has been intercepted or viewed by anyone other than the intended recipients, who were able to confirm that the spreadsheet was received. However, email is not a secure medium to use to send PHI unless the data contained therein has first been encrypted. NCDHHS has a policy to encrypt all PHI that is emailed, but in this case that policy was not adhered to.

In response to the security breach, NCDHHS has alerted patients to the potential risk of identity theft and medical fraud, and has advised them that they “may take steps to protect themselves by putting a fraud alert on their credit files and by keeping an eye on their bank statements and credit card bills for any unusual or unauthorized activity.”

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On