The Arkansas Department of Human Services today disclosed a security breach affecting hundreds of Medicaid recipients and resulting in an employee’s firing.
The department has begun notifying the affected clients by mail, according to a news release. Further, the employee responsible for the breach was terminated, department spokesman Gavin Lesnick said in an email.
DHS said it became aware on Sept. 16 that an employee had sent emails from her DHS email to her personal email account with client information attached.
“The attachments consisted of Excel spreadsheets used to notify the Department of Health of the number of Medicaid clients who had been diagnosed with the flu,” the release said.
While the information did not include names, Social Security numbers or the Medicaid recipient’s full addresses, it did include their ID, date of birth, gender, county, zip code and a flu diagnosis of 925 individuals.
“No financial information was included, and the only health information disclosed was the flu diagnosis,” the release said.
Lesnick said the agency reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights. “There was no financial information or indication of Medicaid fraud in this breach,” he said.
Asked why the agency took so long to notify those affected, Lesnick said, “DHS followed the required protocols for notification of clients. The timeline includes investigating what happened to determine the extent of the breach.”
“Although the information was limited in nature, DHS takes the privacy and security of its clients seriously, and when this incident was discovered, DHS took steps to mitigate the risk and prevent similar incidents from happening in the future,” it added.
Anyone affected who has questions or concerns may contact email DHSPrivacyOfficer@dhs.arkansas.gov or call the toll-free number 1-855-283-0835.