HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 1,615 Medicaid Patients Potentially Exposed by NC DHHS

The North Carolina Department of Health and Human Services (NCDHHS) has started sending breach notification letters to 1,615 patients alerting them to a breach of their Protected Health Information (PHI), following an internal breach of security protocol.

NCDHHS Spokeswoman, Kendra Gerlach, issued a statement yesterday announcing the data breach, which occurred on August 19, 2015. Under the regulations laid down by the Health Insurance Portability and Accountability Act’s Breach Notification Rule, covered entities are allowed up to 60 days to alert the Office for Civil Rights, media, and patients of PHI. This is a maximum time limit. The Breach Notification Rule also says that notices must be issued to patients without unreasonable delay.

The notice was issued very close to the 60-day deadline, although the delay was explained by Gerlach as being necessary as NCDHHS “must investigate thoroughly and ensure there is full understanding before determining next steps [to take].”

The security breach was caused when an employee sent an email to the Granville County Health Department, which contained a spreadsheet in which was listed information relating to Medicaid services provided to patients, along with provider names, provider ID numbers, Medicaid Identification numbers, and patients’ first and last names. While 1,615 patients potentially had their PHI exposed, only two Social Security numbers were present in the spreadsheet. The reason being, the two affected patients had used them as their Medicaid ID numbers. No dates of birth were exposed in the security breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

There is no reason to suggest that the email has been intercepted or viewed by anyone other than the intended recipients, who were able to confirm that the spreadsheet was received. However, email is not a secure medium to use to send PHI unless the data contained therein has first been encrypted. NCDHHS has a policy to encrypt all PHI that is emailed, but in this case that policy was not adhered to.

In response to the security breach, NCDHHS has alerted patients to the potential risk of identity theft and medical fraud, and has advised them that they “may take steps to protect themselves by putting a fraud alert on their credit files and by keeping an eye on their bank statements and credit card bills for any unusual or unauthorized activity.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.