Medicaid Card Mismailing Affects 49,000Incident Is Second Recent Breach for N.C. Health Department
The North Carolina Department of Health and Human Services recently mailed almost 49,000 Medicaid ID cards to the wrong recipients. The incident is the second breach revealed by the department in recent months.
In November, the department reported a breach involving the inadvertent posting of hospital patient payment information on a state website for several years (see: N.C. State Website Exposes Patient Info).
The department reports that on Dec. 30, it mailed almost 49,000 Medicaid cards to the wrong addresses "due to human error in computer programming and the quality assurance process in printing the new Medicaid identification cards," says Sandra Terrell, the department's acting Medicaid director, in a statement released Jan. 6.
"These new cards were printed for children switched from NC Health Choice to Medicaid because of new eligibility rules and requirements under the Affordable Care Act," Terrell says. "A program was developed to extract the information from the eligibility database to generate the mailing but utilized the incorrect name and address for the parent or responsible adult."
Information on the incorrectly mailed cards includes child's name, Medicaid identification number, date of birth and primary care physician. No Social Security numbers were compromised in the breach, Terrell says in the statement.
The department became aware of the mistake on Dec. 31 when it received reports that some recipients received the wrong Medicaid cards. Staff from within the department's Medicaid division sent an automated message to all county departments of social services informing them that some Medicaid cards had been mismailed. The department's leadership was informed of the issue on Jan. 2 and requested an analysis to determine the extent of the problem and its cause.
Terrell says Medicaid recipients will be issued new cards with new Medicaid ID numbers as soon as possible to prevent fraud. "By issuing new Medicaid ID numbers, the mistakenly sent Medicaid cards will be invalid. Issuance of a new Medicaid number will mitigate potential misuse of the incorrectly issued cards. Additionally, the Medicaid division will flag the affected Medicaid ID cards within DHHS' computer systems to treat them with extra scrutiny and caution. DHHS will be alerted if those compromised cards are used."
The department has begun mailing breach notification letters to the parent or responsible adult of each impacted Medicaid recipient affected, explaining what they should do until the new Medicaid card is received.
"DHHS understands parents and responsible adults are concerned about unauthorized activity on the child's accounts," says the statement. "DHHS will send impacted recipients statements of Medicaid services rendered using their Medicaid ID number. This will help families to know whether the child's Medicaid ID number was misused."
The health department is encouraging affected individuals to contact credit bureaus to ask that a fraud alert be placed on their account.
In the earlier breach incident involving the health department, the agency in November notified 1,315 individuals that information regarding all payments made by North Carolina's state hospital accounts - including those to patients - had been mistakenly posted on the NC OpenBook website for several years.
The NC OpenBook site was created in compliance with an executive order in 2009 by then-Governor Beverly Perdue that required the Office of State Budget and Management to build and maintain a searchable public website on state spending for grants and contracts, including payments to vendors and contractors, according to a statement from the state health department.
The state was posting information on NC OpenBook regarding all payments made through its accounting system, the statement notes. But after the North Carolina health department received a complaint, the current administration of Gov. Patrick McCrory in August discovered that the information being manually posted monthly to NC OpenBook included inappropriate payment data related to state healthcare facilities.
Independent security consultant Brian Evans says both North Carolina incidents illustrate how programming-related mistakes can result in breaches.
"Organizations typically leverage multiple programming languages in order to address specific types of tasks," Evans says. "But new and ever-changing business requirements, combined with the increasing complexity of applications, are forcing many organizations to progress at a frantic pace,which increases the likelihood of something bad happening like a data breach."
Nonetheless, an organization's management team is ultimately responsible for protecting the business by managing risk, Evans notes. "This includes risks to people, process and technology required to conduct business," he says. "Management is also responsible for making the best possible use of resources and choosing cost-saving measures to improve efficiency. Such choices often aggregate risks to which an organization is exposed, sometimes in subtle ways."
This aggregated risk, Evans says, "should be managed more effectively at North Carolina Department of Health and Human Services in order to avoid future breaches."
Programming mistakes can be minimized by taking several key steps, Evans says. Those include:
- Organizations should frequently test source code, environment configurations and hardware.
- Staff should be trained on best practices. The most successful training includes having mentors work as a part of the team, he says.
- Programming staff should be held accountable for the integrity and quality of work through rewards and punishments.
- Roles and responsibilities in programming projects should be clearly defined and understood to ensure tasks and procedures are adequately completed and followed.