The Missouri Department of Health and Senior Services (MHSS) is informing 10,400 patients about a recently discovered incident involving their protected health information (PHI).
MHSS found out on August 30, 2018 that an IT contractor had improperly retained the PHI of 10,400 patients after work duties had been completed and that the information had been stored insecurely in a file that lacked password protection.
The IT contractor had worked on an MHSS information system before September 30, 2016, and should have returned the file or deleted the data when it was no longer required. Upon discovery of the HIPAA violation, MHSS quickly took steps to recover/secure the file and attempted to make contact with the contractor. It is currently unclear whether the electronic file has been deleted. The DHSS has reported the matter to the appropriate authority which will investigate to determine whether legal action is necessary.
According to a statement released by the DHSS, the file contained names, birth dates, and state identification numbers. Some patients’ Social Security numbers were included in the file. The amount of PHI in the file differed from patient to patient.
While the retention of the PHI is considered to be a violation of HIPAA Rules, there is no indication that any of the information in the file has been used inappropriately. The DHSS has recommended that patients whose PHI was exposed should monitor the Explanation of Benefits statements they receive from their health insurers for any medical services that are listed but have not been received. Account statements should be checked for fraudulent activity, and patients should obtain a copy of their credit files and check the reports carefully.