Medicaid data breach 'like an onion'

By Molly Merrill
04:16 PM

One of the largest recent security breaches of personal health information (PHI), involving 280,000 individuals, is on the surface a "pretty low-risk scenario," says one privacy expert. But, he acknowledges, "these things are like an onion: the more layers you peel back, the stinkier it gets."

Affiliated insurers Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan reported the data breach, which involves the records of Medicaid recipients. According to their websites on Sept. 20, Keystone Mercy misplaced a portable computer drive (USB flash drive). The drive had personal health information about some of its members and others who attended some of its community events.

According to the Pennsylvania Department of Welfare this is the first such Medicaid data breach in the state since at least 1997.

Keystone is Pennsylvania's largest Medical Assistance (Medicaid) managed care health plan serving more than 300,000 Medical Assistance recipients in Southeastern Pennsylvania including Bucks, Chester, Delaware, Montgomery and Philadelphia counties. AmeriHealth is a Medical Assistance (Medicaid) managed care health plan serving more than 100,000 Medical Assistance recipients in 15 counties. The two companies are jointly owned by Independence Blue Cross and the Mercy Health System and share headquarters in Southwest Philadelphia, where the drive was said to have gone missing.  

Ed Goodman, chief privacy officer at Identity Theft 911, a Scottsdale, Ariz., provider of data breach solutions, says the news has been so "sensational" due to the high number of individuals involved, "but the reality is that full Social Security numbers were not present."

Goodman says that according to reports, approximately 808 of the individuals' information included full or partial Social Security numbers. He says that although these members may want to take proactive measures to prevent fraud, such as checking their credit files, this is not a huge identity theft risk.

"Even though this is a low risk scenario, it cries out for recognition because it happened on one thumb drive," Goodman said.

Which brings him to the main takeaway – encryption. He says he assumes the data was not encrypted – if it was the companies would not be required under HIPAA to report the breach.

Goodman calls encryption the "one out" to avoid having to report breaches. "You can put systems in place, but there are always going to be breakdowns in processes," he said.
Encryption is an uncomplicated, fairly cheap way to protect health information even for small organizations, he adds.

For the moment, the insurers seem to be in accordance with HIPAA.

"We have taken immediate action to make sure this doesn't happen again," wrote Jay Feldstein, DO president, PA Managed Care Plans, Keystone Mercy Health Plan on the company's websites. "We have put safety measures in place and have also re-trained our employees on the importance of protecting the privacy and security of confidential information."

Feldstein says that a letter will be mailed out to all the individuals affected by the incident, outlining what happened and what information was on the drive.

The only issue that is questionable at this point is if the companies reported the breach "without reasonable delay and in no case later than 60 days," said Goodman.

He says the Attorney General's office could latch on to this if they were at all tardy in reporting it, although he sees that as doubtful.

Goodman is also a member of the State Bar of Arizona, and served as the 2008-2009 section chair of the State Bar of Arizona Internet, E-Commerce and Technology Law Practice Section. He is a Certified Information Privacy professional and has studied comparative privacy law at the International Court of Justice in Hague. He's also a member of the International Association of Financial Crimes and Investigators.