The Mississippi Department of Medicaid (DOM) has declared that 5,220 Medicaid beneficiaries had some of their PHI leaked through electronic mail as a consequence of a mistake with an online form facility.
DOM found that the online form facility was sending electronic mails having PHI to staff members, however, those electronic mails were not encrypted. The online facility was utilized by staff members to generate forms that were displayed on its medicaid.ms.gov website. Once a form was put forward through the website, electronic mails having the form information were transmitted to selected staff members.
After the electronic mails were received they were securely stowed; nevertheless, it’s likely that the info in the electronic mails might have been interrupted in the journey and might have been retrieved by illegal persons. DOM discontinued utilizing the online facility as soon as the mistake was found and all forms were taken out from the website.
The facility transferred 6 different online forms. Those forms had the following PHI parts: Names, addresses, Medicare and/or Medicaid identification numbers, medical conditions, enrollment dates, admission dates, health insurer names, email addresses, dates of birth, phone numbers, and Social Security numbers. The online form facility was utilized between May 2, 2014, and April 10, 2017.
Although PHI was disclosed as a consequence of the mistake, DOM states there isn’t any reason to suppose that any PHI has really been obtained or viewed by illegal people. DOM’s security officer, Keith Robinson, said, “It’s highly unbelievable that the data was undermined because the ordinary user won’t know the way to seize it during transmission.” He also clarified that at the destination and source the information was safe.
In reaction to this incident, DOM will be reinforcing its technological protections to avoid any future occurrences of this type from happening. DOM’s procedures and policies concerning security and privacy will also be reviewed.
As demanded by HIPAA, all people affected by the event have been alerted by post. No identity theft defense facilities or credit checking are being offered because of the low danger of data compromise, even though affected people have been instructed to verify their credit reports cautiously.