The Department of Health and Human Services’ Office of Inspector General (OIG) has released a new report that has revealed the majority of Medicaid data breaches are minor and only affect a very limited number of Medicaid recipients. In the report, OIG assessed all data breaches that Medicaid agencies and their contractors disclosed in 2016. According to the report, 1,260 breaches were reported in 2016 that resulted in the theft, exposure, or impermissible disclosure of the PHI of 515,000 Medicaid beneficiaries.
About 2/3 of reported Medicaid data breaches in 2016 impacted one person, 29% of Medicaid data breaches impacted 1-9 persons, and just 1% were large-scale breaches affecting 500+ individuals.
Though the reasons for the breaches were varied, most were due to simple errors such as misaddressing an email, letter or fax. These types of breaches typically affected a very small number of people, and were mostly restricted to a beneficiary name, Medicaid ID, or another ID number. Only 303 of the 1,260 breaches involved compromised Social Security numbers while just 23 exposed financial information. Only 9 hacking incidents involving Medicaid data were reported in 2016.
Previous OIG investigations have been mostly concerned with identifying vulnerabilities in network systems and controls that could be exploited to gain access to Medicare and Medicaid systems and data. The latest review was primarily concerned with breach responses to security incidents.
Aside from evaluating Medicaid data breaches, OIG looked at breach response guidelines and procedures being enforced in the District of Columbia and the 50 states. The majority of U.S. states followed a standard breach reporting framework. This consists of investigating breaches and their scope, identifying the best way to respond to data breaches, how to protect breach victims, and the steps that should be taken to address vulnerabilities and avoid similar security breaches in the future. As part of the investigation, OIG examined the responses to specific data breaches in nine states to have a better understanding of breach response processes in action.
OIG saw slight differences in breach response processes in different states; although this was largely due to differences in breach reporting requirements at the state level. All entities submitted breach reports to the HHS’ Office for Civil Rights and were complying with the requirements of the HIPAA Breach Notification Rule. The same could not be said of the requirement to notify the Centers for Medicare & Medicaid Services (CMS) independently, even though the CMS has required this since 2006. OIG believes that this could be due to the introduction of the HIPAA Breach Notification Rule in 2009.
The failure to notify CMS makes it harder for the agency to monitor data security issues and identify multi-state data breaches, and identify areas where guidance is required to address common security issues. To correct the problem, OIG recommended that the CMS issue updated advice for Medicaid agencies and their contractors about the importance of submitting a separate breach report to the CMS. CMS concurred with the recommendation.