Misdirected faxes, emails a top source of Medicaid data breaches

State Medicaid agencies had 1,260 data breaches in 2016, many of which were the result of misdirected communications that sometimes exposed the information of beneficiaries in letters, emails and faxes. In many cases, information was simply sent to the wrong place, such as the wrong beneficiary or physician office.

In fact, breaches as a result of hacking or other IT incidents were rare in 2016, according to a report from the HHS Office of Inspector General.

Data breaches, defined as the acquisition, access, use, or disclosure of protected health information, can leave beneficiaries vulnerable and expose the Medicaid program to potential fraud.

Of the Medicaid breaches in 2016, 88 percent were from unauthorized access or disclosure in misdirected communications and employee actions. Just 5 percent, or 68 breaches, were the result of theft, 4 percent were from loss of records and less than 1 percent were caused by improper disposal of records. The fewest number of breaches—nine—resulted from hacking.

Data breaches varied widely, from the number of people affected, the kind of information disclosed and how it happened. Approximately 515,000 beneficiaries and other individuals were affected by breaches in 2016, according to OIG. Nearly two-thirds of breaches involved a single person and about 30 percent were disclosures that affected between two and nine beneficiaries.

Among the breaches with potential to cause harm was a beneficiary whose drug test results were disclosed to an ex-girlfriend. Another individual’s address was disclosed to an ex-boyfriend who had previously “stalked and assaulted the beneficiary,” according to the report.

Just 1 percent of breaches affected 500 or more beneficiaries. One specific breach affected about 370,000 beneficiaries, caused by an individual who “hacked the computer server of an MCO’s business associate and had access to names, dates of birth, diagnosis information and Social Security numbers." However, there was no evidence the individual intended to use the information fraudulently, the state concluded.

OIG collected data breach information from Medicaid agencies and contractors from 2016 to conduct its report.