The Mississippi Division of Medicaid (DOM) is informing approximately 5,220 individuals of the potential exposure of their protected health information (PHI). According to federal law, certain health-care entities are required to notify individuals potentially affected by such incidents.
On April 7, 2017, DOM officials became aware of an issue with the online service the agency used to create forms posted to DOM’s website (http://medicaid.ms.gov). Once an online form was submitted the information was also emailed to designated staff within the agency. The email containing the information was not transmitted in a secure manner (i.e. encrypted). This resulted in the possible exposure of information that may have been entered into certain online forms.
Upon investigation, DOM can confirm those emails and the accompanying information included were stored in a secure manner once received.
This incident had no impact on an individual’s eligibility determination (if they were approved or denied for Mississippi Medicaid), nor on a beneficiary’s benefits if they are currently enrolled and receiving Medicaid services.
Once the error was discovered, the online forms were immediately removed from the website and use of the online form service was terminated. The agency is also in the process of strengthening technological safeguards, in addition to revising policies and procedures addressing privacy and security regulations.
The estimated duration of potential exposure was between May 2, 2014, and April 10, 2017. The incident was limited to six different forms and may have included names, birth dates, addresses, phone numbers, email addresses, admission and enrollment dates, health insurer, condition, Social Security numbers, and Medicare and/or Medicaid identification numbers.
DOM officials say there is no reason to believe any information was compromised during the occurrence, but the agency is informing individuals as required.
“It is highly unlikely that the data was compromised, since the typical Internet user would not know how to capture it during transmission. The data storage was secured both at the originating source and the destination [DOM], reducing the risk of the data being compromised,” said Keith Robinson, security officer for DOM.
The agency has not received any indication regarding unauthorized use or access of PHI related to this incident. However, individuals who believe they may be affected by this incident are advised to check their credit report with any one of the three major credit bureaus: Equifax, Experian, or Transunion.
|Equifax||1-800-525-6285||P.O. Box 740241
Atlanta, GA 30374
|Experian||1-888-397-3742||P.O. Box 9532
Allen, TX 75013
|TransUnion||1-800-680-7289||P.O. Box 6790
Fullerton, CA 92834
“The security of our beneficiaries’ protected health information is a responsibility we consider to be foundational to our mission, and we treat any potential breach very seriously, regardless of how unlikely it is that information was compromised,” said Dr. David J. Dzielak, executive director. “We sincerely apologize for this incident and will take the necessary actions to ensure it does not happen again.”
Individuals who believe they may be affected or have questions about this incident may contact DOM by calling toll-free at 1-800-421-2408 or 601-359-6050.