Siblings fired for sharing information of 91,000 Washington Medicaid recipients

The Washington Health Care Authority (HCA) is sending letters to 91,000 Apple Health (Medicaid) recipients to notify them of a breach of protected health information (PHI) following improper handling by an HCA employee. The employee sought technical help from her brother, an employee of the Department of Social and Health Services (DSHS), and in doing so, provided him with information, including clients’ Social Security numbers, dates of birth, addresses and phone numbers, Apple Health identification numbers, and medical procedure and diagnosis information. Although there is no evidence that the information was used improperly, the HCA could not verify that the information remained within the state system.

Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) covered entities (CEs)—health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain transactions—must notify patients when their PHI has been compromised, a process referred to as “breach notification” (sec. 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5)). CEs must notify patients of breaches unless they actually demonstrate a low probability that PHI was compromised (78 FR 5566).

In this instance, the HCA employee, a medical assistance specialist, exchanged emails containing PHI with her brother, an internet technician, from 2013 to 2015, while she asked him for technical assistance with spreadsheets containing PHI. The exchanges were uncovered during the course of a whistleblower investigation of misuse of state resources. Because of a viable possibility that PHI was leaked outside of the system, the HCA was required to notify affected individuals.

The HCA is offering one year of free credit monitoring to Apple Health clients affected by the breach. The HCA and the DSHS terminated both employees.