HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Apple Health HIPAA Breach Affects 91K Medicaid Recipients

The protected health information of 91,000 Apple Health Medicaid program clients has been compromised by a Washington State Health Care Authority (HCA) employee over a period of almost 3 years, according to a statement issued by HCA risk manager, Steve Dotson.

All affected individuals are in the process of being notified that their name, date of birth, Apple Health ID number, Social Security number, and private health information were improperly disclosed between early 2013 and late 2015.

The repeated privacy breaches involved two state department employees who exchanged emails containing the highly sensitive data. A woman working as a medical assistance specialist for the HCA regularly sent spreadsheets containing patient health information and Social Security numbers to her brother, who worked as an Internet technician for the Department of Social and Health Services (DSHS).

The unauthorized sharing of patient data is a breach of Health Insurance Portability and Accountability Act rules and warrants the sending of breach notification letters. Those letters were dispatched on Tuesday, February 9. All affected individuals have been offered a year of credit monitoring services without charge.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The privacy breaches were brought to the attention of HCA by a DSHS whistleblower. Upon discovery of the privacy violations, HCA conducted a full internal investigation. HCA also partnered with DSHS to ensure that any data remaining on DSHS computers were secured. HCA does not believe any data were transferred outside the state email system, but this could not be confirmed.

The two employees were interviewed and both explained that the emails were sent by the woman because she required technical assistance with the spreadsheets. Both employees said this was the only reason why the spreadsheets were emailed, and patient health information was not forwarded on or otherwise shared with any other individual, nor were the data used for improper purposes.

Both employees had their employment contracts terminated for violating HIPAA rules and patient privacy rights. The matter has been referred to federal officials who will be conducting a further investigation. At this present moment, no other action has been taken against the two employees although the matter may be subject to a criminal review.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.