HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI

The Mississippi Division of Medicaid (DOM) has announced that 5,220 Medicaid recipients have had some of their protected health information (PHI) exposed via email as a result of an error with an online form service.

DOM discovered that the online form service was sending emails containing PHI to staff members, but those emails were not encrypted. The online service was used by staff members to create forms that were posted on its medicaid.ms.gov website. When a form was submitted via the website, emails containing the form information were sent to designated staff members.

Once the emails were received they were securely stored; however, it is possible that the information contained in the emails could have been intercepted in transit and could have been accessed by unauthorized individuals. DOM stopped using the online service once the error was discovered and all forms were removed from the website.

The service transmitted six different online forms. Those forms contained the following PHI elements: Names, addresses, phone numbers, dates of birth, email addresses, health insurer names, admission dates, enrollment dates, medical conditions, Medicare and/or Medicaid identification numbers and Social Security numbers. The online form service was used between May 2, 2014 and April 10, 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While PHI was exposed as a result of the error, DOM says there is no reason to believe that any PHI has actually been viewed or obtained by unauthorized individuals. Keith Robinson, DOM’s security officer, said, “It is highly unlikely that the data was compromised since the typical user would not know how to capture it during transmission.” He also explained that at the source and destination the information was secured.

In response to this incident, DOM will be strengthening its technological safeguards to prevent any future incidents of this nature from occurring. DOM’s policies and procedures relating to privacy and security will also be revised.

As required by HIPAA, all individuals affected by the incident have been notified by mail. No credit monitoring or identity theft protection services are being offered due to the low risk of data compromise, although impacted individuals have been advised to check their credit reports carefully.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.