Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI

Share this article on:

The Mississippi Division of Medicaid (DOM) has announced that 5,220 Medicaid recipients have had some of their protected health information (PHI) exposed via email as a result of an error with an online form service.

DOM discovered that the online form service was sending emails containing PHI to staff members, but those emails were not encrypted. The online service was used by staff members to create forms that were posted on its medicaid.ms.gov website. When a form was submitted via the website, emails containing the form information were sent to designated staff members.

Once the emails were received they were securely stored; however, it is possible that the information contained in the emails could have been intercepted in transit and could have been accessed by unauthorized individuals. DOM stopped using the online service once the error was discovered and all forms were removed from the website.

The service transmitted six different online forms. Those forms contained the following PHI elements: Names, addresses, phone numbers, dates of birth, email addresses, health insurer names, admission dates, enrollment dates, medical conditions, Medicare and/or Medicaid identification numbers and Social Security numbers. The online form service was used between May 2, 2014 and April 10, 2017.

While PHI was exposed as a result of the error, DOM says there is no reason to believe that any PHI has actually been viewed or obtained by unauthorized individuals. Keith Robinson, DOM’s security officer, said, “It is highly unlikely that the data was compromised since the typical user would not know how to capture it during transmission.” He also explained that at the source and destination the information was secured.

In response to this incident, DOM will be strengthening its technological safeguards to prevent any future incidents of this nature from occurring. DOM’s policies and procedures relating to privacy and security will also be revised.

As required by HIPAA, all individuals affected by the incident have been notified by mail. No credit monitoring or identity theft protection services are being offered due to the low risk of data compromise, although impacted individuals have been advised to check their credit reports carefully.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On