91,000 Washington State Apple Health (Medicaid) clients notified of data breach (update1)
The Washington State Health Care Authority issued the following press release today:
State notifies 91,000 Apple Health (Medicaid) clients of data breach by Health Care Authority employee
Employment terminated for individuals involved in data breach; notifying the appropriate federal officials for further investigation and potential criminal review
OLYMPIA – The Washington State Health Care Authority (HCA) discovered that the personal identification information and private health information of more than 91,000 Apple Health (Medicaid) clients was handled improperly by an individual HCA employee. HCA today is sending a notification letter to clients affected by the breach.
The information includes clients’ Social Security numbers, dates of birth, Apple Health client ID numbers, and private health information.
“Our first and foremost priority is protecting our clients’ personal information,” said HCA Risk Manager Steve Dotson. “We have taken swift action to address this issue and help prevent future incidents. I know this is stressful and concerning for those impacted, and we are doing everything possible to support them.”
Two state employees in two state agencies exchanged Apple Health client files in violation of requirements under the federal Health Insurance Portability and Accountability Act (HIPAA). Both employees assert that the exchange of information occurred because the HCA employee needed technical assistance with spreadsheets that contained the data and that the information was not used for any additional unauthorized purposes or forwarded to any other unauthorized recipients. The breach was discovered in the course of a whistleblower investigation into misuse of state resources.
“While we have no indication that the client files went beyond the two individuals involved, Important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” Dotson said.
Because the investigation could not confirm that the data stayed within the state’s systems, it was determined there was a breach of protected data, requiring client notification.
Both individuals’ employment has been terminated. Upon discovering the breach, HCA:
- Conducted an internal investigation that included securing and searching the employee’s computer to understand what information was exchanged.
- Partnered with the state agency whose employee was the recipient of the information to further understand what information was exchanged and to ensure HCA information was secure.
- Worked to identify files containing private information and notify impacted clients.
- Set up one year of free credit monitoring for impacted clients, a toll-free number and a web page for impacted Apple Health clients.HCA covers more than 1.8 million Washington residents through the Apple Health program, which provides free health care to individuals with low incomes.
Update1: Northwest Public Radio subsequently reported some additional details:
One report shows a Health Care Authority worker sent dozens of confidential files to her brother at the Department of Social and Health Services.
The report says she was seeking technical assistance, and the brother completed assignments for her.
That led investigators to search the brother’s work computer.
The report found he spent hours on non-work related sites, including multiple hours on sexually explicit sites where he would view and upload images.[…]
The health care agency said it could not determine whether clients’ data stayed in state systems, so it determined that a breach had occurred.