Apple Health HIPAA Breach Affects 91K Medicaid Recipients
The protected health information of 91,000 Apple Health Medicaid program clients has been compromised by a Washington State Health Care Authority (HCA) employee over a period of almost 3 years, according to a statement issued by HCA risk manager, Steve Dotson.
All affected individuals are in the process of being notified that their name, date of birth, Apple Health ID number, Social Security number, and private health information were improperly disclosed between early 2013 and late 2015.
The repeated privacy breaches involved two state department employees who exchanged emails containing the highly sensitive data. A woman working as a medical assistance specialist for the HCA regularly sent spreadsheets containing patient health information and Social Security numbers to her brother, who worked as an Internet technician for the Department of Social and Health Services (DSHS).
The unauthorized sharing of patient data is a breach of Health Insurance Portability and Accountability Act rules and warrants the sending of breach notification letters. Those letters were dispatched on Tuesday, February 9. All affected individuals have been offered a year of credit monitoring services without charge.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The privacy breaches were brought to the attention of HCA by a DSHS whistleblower. Upon discovery of the privacy violations, HCA conducted a full internal investigation. HCA also partnered with DSHS to ensure that any data remaining on DSHS computers were secured. HCA does not believe any data were transferred outside the state email system, but this could not be confirmed.
The two employees were interviewed and both explained that the emails were sent by the woman because she required technical assistance with the spreadsheets. Both employees said this was the only reason why the spreadsheets were emailed, and patient health information was not forwarded on or otherwise shared with any other individual, nor were the data used for improper purposes.
Both employees had their employment contracts terminated for violating HIPAA rules and patient privacy rights. The matter has been referred to federal officials who will be conducting a further investigation. At this present moment, no other action has been taken against the two employees although the matter may be subject to a criminal review.
