North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed. NDDHS discovered documents containing PHI had been disposed of in a dumpster accessible by the public.

The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day.

The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and quantity and tooth and surface detail relating to dental work. The information exposed varied for each patient.

The internal investigation into the privacy breach revealed one individual was responsible for dumping the documents and the improper disposal involved no malicious intent. The records were dumped on May 8, 2017, two days prior to them being found by a member of the public.

Since there is a possibility that the documents have been viewed by others, individuals affected by the incident have been offered complimentary credit monitoring and identity theft protection services. However, the potential for re-disclosure of information is believed to be low as all documents have now been recovered and secured. NDDHS said in its press release that no evidence has been uncovered to suggest any information in the documents has been used improperly or further disclosed and that “appropriate disciplinary action has been taken.”

Training had already been provided to staff members on information security and HIPAA Rules. NDDHS is now working with its staff to prevent future incidents of this nature from occurring. The incident has also prompted NDDHS to conduct a review of its policies and procedures for safeguarding the protected health information of Medicaid recipients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.