For the second time within a year, the Utah Department of Health (UDOH) is dealing with a data breach of Medicaid patient information. This time, a third-party contract lost a USB device that contained the personal information, including name, Medicaid ID number, age, and prescription drug history, of 6,000 Medicaid patients.
Back in April, UDOH’s data server was breached. This breach led to the illegal access of 24,000 claims.
For the most recent breach, UDOH says the contractor, Goold Health Systems (Augusta, Maine) processes Medicaid pharmacy transactions for the agency. The Goold employee apparently saved personal health information on an unencrypted, portable USB memory device and then left UDOH headquarters with the device. They then misplaced the device while traveling between Salt Lake City, Denver, and Washington DC.
“There were no Social Security numbers or financial information included in the data, so we believe the potential risk for identity theft is minimal. Further, we have no reason to believe the data were targeted by anyone to be used for malicious purposes,” UDOH Deputy Director and state Medicaid Director Michael Hales, said in a statement. “Nevertheless, we understand the anxiety this will likely cause, and want clients to know we are taking all reasonable precautions to ensure the missing data cannot be used to harm individual clients or defraud the Medicaid program.”
According to UDOH, it is taking steps to protect the affected Medicaid identification numbers against potential fraudulent use. It says, the Office of the Health Data Security Ombudsman will commit its full resources to assisting affected clients in any way they need.
“I have directed UDOH attorneys to review our contract with Goold Health Systems, and I fully intend to seek whatever financial or contractual remedies are available in order to ensure GHS is held accountable for this serious mistake,” UDOH Executive Director David Patton, M.D., said in a statement. “Protecting our clients’ personal information is of utmost importance to our department, and it must be the number one priority of our contractors as well.”
Patton also stated that he hopes Goold will discipline the employee and that they will no longer be allowed to work with UDOH data.