Share this article on:
A business associate of an Indiana healthcare organization has caused one of the largest HIPPA data breaches to data. The security breach has exposed the ePHI of 187,533 patients of the Indiana Family and Social Services Administration. Not only is this one of the largest data breaches to occur this year, it involves the disclosure of incredibly detailed personal, medical and financial information.
Following an investigation into the incident, the Indiana Family and Social Services Administration was able to determine that 3,926 patient Social Security numbers had been disclosed and the patients affected have been notified separately.
In addition to names, addresses and other contact information, the records included demographic data, the benefits that clients received, total monthly benefit totals, monthly income and expenses, employment details, bank balances and details of other assets owned. Medical conditions were listed along with health insurance providers and some data relating to members of the patient’s household.
Programming Error Responsible for PHI Disclosure
The data was exposed by a bizarre programming glitch which resulted in patients being sent documentation relating to other patients. Indiana Family and Social Services Administration announced the breach on July 1 with the incident caused when one of its FSSA contractors, RCR Technology Corporation, made an error while programming its document management system. The error caused documents to be duplicated and PHI including personal identifiers and medical/financial data to be inserted with other documents that were sent out to patients.
According to the Indiana FSSA, the error occurred in a bespoke component of the document management system that was created specifically to work with its eligibility system. The code contained an incorrect variable with resulted in the error. The incident occurred on April 6, 2013 and was discovered – and corrected – just over a month later on May 21, 2013, with the error affecting all correspondence sent out during this period.
Following the announcement, the President of RCR Technology Corporation, Robert C. Reed, issued a press release apologizing for the incident and stated that the company will be taking action to prevent the accidental disclosure of confidential information in the future.
In a statement issued by FSSA secretary, Debra Minott, “We are ultimately responsible for the safekeeping of that [Personal Health] information and regret that in this rare instance some information may have been accidentally shared inappropriately.”
All affected patients are also being offered an optional 90-day fraud alert, although this is considerably less than the 12 months of credit monitoring services which are usually provided to victims of HIPAA breaches. The incident has been reported to the Office of Civil Rights and an investigation will determine whether a fine is applicable in this case.