The Washington State Health Care Authority (HCA) announced yesterday that employees at two state agencies committed a HIPAA violation by improperly exchanging private data pertaining to its Apple Health Medicaid clients.
How many victims? 91,000
What type of information? Social Security numbers, birthdates, Apple Health client ID numbers and private health information.
What happened? Two state workers from separate state agencies exchanged Apple Health client files, after the HCA employee requested technical assistance with spreadsheets containing the private data. This HIPAA violation was uncovered during an unrelated whistleblower investigation into misuse of state resources.
What was the response? HCA conducted a joint internal investigation with the other involved agency to assess the extent of the violation. HCA contact the affected customers and offers one year of free credit monitoring for them. While this does not appear to be a malicious breach, the two culpable employees were terminated.
Details? “While we have no indication that the client files went beyond the two individuals involved, important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” said HCA Risk Manager Steve Dotson in the agency's press statement. HCA's Apple Health program covers more than 1.8 million low-income Washington residents.