Personal identification and private health information of more than 91,000 Washington Medicaid clients was improperly handled by two state employees, violating federal privacy laws.
The Washington State Health Care Authority, which oversees the state Medicaid program, called Apple Health, is sending notification letters to those affected by the data breach. The compromised information includes clients’ Social Security numbers, dates of birth, Apple Health client identification numbers and private health information.
The breach was discovered during a whistleblower investigation into the misuse of state resources.
“Our first and foremost priority is protecting our clients’ personal information,” said Steve Dotson, the Health Care Authority’s risk manager, in a news release. “We have taken swift action to address this issue and help prevent future incidents. I know this is stressful and concerning for those impacted, and we are doing everything possible to support them.”
Two employees in two state agencies exchanged client files in violation of requirements under the federal Health Insurance Portability and Accountability Act, or HIPAA, according to the Health Care Authority.
The employees say the information was exchanged because the Health Care Authority employee needed technical assistance with spreadsheets containing the data. They claim the information was not used for any additional unauthorized purposes or forwarded to any other unauthorized recipients, according to the state agency.
State officials couldn’t confirm that the data stayed within the state’s systems, however, so they determined there was a breach of protected data, requiring client notification. Both employees were fired.
The Health Care Authority has also notified federal officials and the state attorney general about the data breach for further investigation and potential criminal review.
The Health Care Authority is providing one year of free credit monitoring for impacted Apple Health clients. The agency also set up a toll-free number, 877-866-9702, and a web page, www.hca.wa.gov/medicaid/Pages/breach.aspx, where affected clients can get more information.