Business Associate (BA) Causes 188,000 HIPAA Patient Data Breach

July 2, 2013

We keep talking about knowing what PHI your BAs access, how they access, store, maintain, process and most importantly protect it but the parade of stories about HIPAA data breaches by BAs continues.

Computer glitch exposes data of 188K

Indiana agency notifies patients of mass HIPAA breach

INDIANAPOLIS July 2, 2013

Erin McCann, Associate Editor

Healthcare IT News

2

In one of the largest HIPAA breaches reported this year, the Indiana Family and Social Services Administration is notifying 187,533 clients that their protected health information, financial and employment data and, in many cases, Social Security numbers have been compromised following a computer programming glitch.

Officials announced July 1 that the HIPAA breach, which resulted in clients receiving personal and private documents belonging to other clients, occurred after FSSA contractor RCR Technology Corporation made a computer programming error to a document management system the company supports for FSSA. This error caused documents being sent to clients to be duplicated and also inserted with documents sent to other clients.

Client information compromised include patient names; addresses; dates of birth; demographic data; contact information; types of benefits received; monthly benefit amount; employer information; financial data such as monthly income and expenses; bank balances and other assets; medical information such as providers, disability benefits and medical condition; and certain information about the client’s household members like name, gender and date of birth.

[See also: 10 largest HIPAA breaches of 2012.]

Moreover, of the 187,533 clients, 3,926 may have had their Social Security numbers disclosed. This is being noted in the specific letters being sent to this smaller group. Indiana FSSA is mailing notification letters to patients this week.

“We at RCR Technology Corporation apologize that our actions may have caused some FSSA client information to be disclosed in error,” said Robert C. Reed, president of RCR Technology Corporation, in a July 1 press release. “We will do everything possible to prevent such an incident from happening again in the future.”

Jim Gavin, spokesperson for Indiana FSSA, said the error occurred in a customized code developed specifically for the document center. “The issue occurred in one component of the document management system consisting of customized java code created specifically for use on our eligibility system,” said Gavin in an emailed statement to Healthcare IT News. “The specific problem was an improperly used variable.”

[See also: Arkansas data breach remains unclear, gender discrimination lawsuit at core.]

Officials say the programming error was made on April 6, 2013, and affected correspondence sent between April 6, 2013, and May 21, 2013. The error was discovered on May 10, 2013. RCR determined the root cause of the programming error and it was corrected on May 21, 2013.

“Clients entrust their information to us and we take the security of that information very seriously,” said Debra Minott, FSSA secretary, in a press statement. “We are ultimately responsible for the safekeeping of that information and regret that in this rare instance some information may have been accidentally shared inappropriately.”

[See also: Stanford reports fifth big HIPAA breach.]

FSSA is providing clients with the option of a 90-day fraud alert. Most HIPAA-covered entities following a breach provide patients or clients with a year of complimentary fraud alert and credit monitoring services.

This is the second HIPAA breach for the Indiana FSSA. In 2012, the agency reported the theft of a company laptop containing the protected health information of 757 clients.


Back to News