The personal information of almost 20,000 children was accidentally disclosed in a healthcare data breach at WellCare Health, a contractor administering Missouri Medicaid plans. Aimed at children and pregnant women, Missouri’s Medicaid program, called MO HealthNet, covers about 275,000 people throughout the state.
A “mailing error” caused reminders about well-child visits for the company’s Missouri Medicaid members to be sent to the wrong addresses. The letters contained personally identifiable health information including children’s names, their ages, and the names of their providers.
WellCare Health Plans Inc., discovered the error on July 25, 2018 and announced it almost a month later via a public letter sent to the media.
After conducting an internal investigation, the company found no evidence that the leaked information was misused. Still, the affected families were advised to be vigilant about any suspicious activity on their credit card bills and account statements.
The company also instructed affected participants not to disclose personal information over email and offered them one year of free credit monitoring services from Experian.
“We are taking steps to prevent something like this from happening again,” said Ted Webster, Vice President and Chief Security and Privacy Officer at WellCare.
While this breach is less alarming than others in which leaked data involved account information or full clinical reports, experts say it could still be a violation of the Health Insurance Portability and Accountability Act (HIPAA.)
This is the second time Missouri Care members’ personal information was exposed as a result of a programming error. A year ago, the company faced a similar crisis. The stakes were lower; a little over 1,200 members’ data was leaked; none of it contained medical or financial details.
In 2016, almost 25,000 WellCare members were affected by a data breach by
a contractor providing reinsurance services. That case was part of a ransomware attack.
Three years earlier, in 2013, MO HealthNet told more than 25,000 of its members that their sensitive information, including full Social Security numbers, was mailed to incorrect addresses. The culprit was, once again, a “software programming error.”
Missouri’s Medicaid breaches weren’t significant, neither are they uncommon. Quite the opposite. There is at least one data breach per day in the healthcare industry.
Over 1 million patient records were exposed in 110 healthcare data breaches in the first quarter of 2018, according to the Protenus Breach Barometer.
For executives in healthcare, every cyber attack or data leak should be a stark reminder that their company – and the clients they serve – could be next.
Hospitals, pharmacies or health insurance companies are more than beacons of hope and health; they are also personal data bank vaults.
The healthcare industry is known for its weak security. Healthcare organizations experience more than twice the number of attacks on average as compared to organizations in other vertical market categories, according to recent reports. Healthcare data breaches are the most expensive among industries, with each breach costing organizations nearly three times more than the global average across other industries.
Yet for all the damage they can cause, security breaches ranging from mail leaks to cyber attacks can be avoided or at least contained. When organizations are well-equipped for emerging technologies, they are harder to penetrate.
Technology, the driving force behind innovation in healthcare, is also its best ally to keep hackers from getting their hands on sensitive data.
Cutting-edge techniques, including Big Data and machine learning can not only drastically improve health services, but also strengthen data security by detecting issues before they lead to a disaster.