Share this article on:
The Colorado Department of Health Care Policy and Financing issued a HIPAA breach notice yesterday, announcing the potential exposure of confidential records relating to 1,622 households. A limited amount of Protected Health Information (PHI) was inadvertently disclosed to Medicaid recipients after a recent mailing error.
The mailing took place between May 25, and July 5, 2015; but due to a technical error, letters were sent to incorrect recipients. The error was noticed by a resident who had received correspondence with details of a different person, and the matter was reported to county workers on July 1, according to the breach notice; four days before the mailing was stopped and the problem corrected.
After an investigation into the breach was conducted, the department determined that patient names, Medicaid numbers, state ID numbers, family member names, employer names, income from the employer, Advanced Tax Credit amounts, and approval status for Medicaid and Child Health Plan services were potentially disclosed. In less than 50 cases, the person’s date of birth was also included in the mailing.
The letter explains there is a risk of identity theft and fraud when financial information and Social Security numbers are exposed. This data was not exposed, therefore the risk of fraud is low. The letter explains that in many cases, data would have potentially been exposed to one individual, but as many of three individuals may have received a letter with a Medicaid recipient’s data.
The department has made attempts to contact all individuals who received a letter, requesting they return it or destroy it. Even though there is not a high risk of patients suffering from fraud, loss, or damage as a result of the mailing error, the Colorado Department of Health Care Policy and Financing is in the process of contacting individuals affected to notify them of the HIPAA breach and to offer them credit monitoring services.
According to Susan E. Birch, executive director for the department, said in a statement issued about the breach, “the Department, in partnership with its vendors, has taken additional steps to prevent future errors.”