HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach Notice Issued After Colorado Medicaid Mailing Error

The Colorado Department of Health Care Policy and Financing issued a HIPAA breach notice yesterday, announcing the potential exposure of confidential records relating to 1,622 households. A limited amount of Protected Health Information (PHI) was inadvertently disclosed to Medicaid recipients after a recent mailing error.

The mailing took place between May 25, and July 5, 2015; but due to a technical error, letters were sent to incorrect recipients. The error was noticed by a resident who had received correspondence with details of a different person, and the matter was reported to county workers on July 1, according to the breach notice; four days before the mailing was stopped and the problem corrected.

After an investigation into the breach was conducted, the department determined that patient names, Medicaid numbers, state ID numbers, family member names, employer names, income from the employer, Advanced Tax Credit amounts, and approval status for Medicaid and Child Health Plan services were potentially disclosed. In less than 50 cases, the person’s date of birth was also included in the mailing.

The letter explains there is a risk of identity theft and fraud when financial information and Social Security numbers are exposed. This data was not exposed, therefore the risk of fraud is low. The letter explains that in many cases, data would have potentially been exposed to one individual, but as many of three individuals may have received a letter with a Medicaid recipient’s data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The department has made attempts to contact all individuals who received a letter, requesting they return it or destroy it. Even though there is not a high risk of patients suffering from fraud, loss, or damage as a result of the mailing error, the Colorado Department of Health Care Policy and Financing is in the process of contacting individuals affected to notify them of the HIPAA breach and to offer them credit monitoring services.

According to Susan E. Birch, executive director for the department, said in a statement issued about the breach, “the Department, in partnership with its vendors, has taken additional steps to prevent future errors.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.