This past summer, the state of Colorado’s Medicaid program, the Colorado Department of Health Care Policy and Financing (HCPF), accidentally sent letters containing PHI to the wrong addresses, affecting individuals from 1,069 households.
According to the HCPF’s press release, the letters may have included:
- State ID or Medicaid case number
- Names of family members in the affected households
- Employer’s names
- Income information
- Amount of an Advanced Premium Tax Credit
- Approval status of several medical assistance programs
Fortunately, none of the Colorado Medicaid mailings included social security numbers or payment information that could be used for identity theft.
Joseph Goedert’s article for HealthData Management adds that HCPF also mailed letters concerning non-health-related government programs. This raises the number of affected households from 1,069 to 1,622, though these letters do not fall under HIPAA’s jurisdiction.
Tauna Lockhart, spokesperson for the Colorado Governor’s Office of Information Technology (CO-OIT), told Healthcare IT News that the breach was the result of a recent update to the state’s information system. The CO-OIT first heard about the breach on July 1, acted immediately, and resolved the issue within four days. In response to the breach, they added multiple precautions to ensure that similar incidents do not occur in the future.
For more information on the breach, you can find the Colorado Department of Health Care Policy and Financing’s original press release here, as well as a copy of the notice letter they sent to affected households.
This article was originally published on Health Security Solutions and is republished here with permission.Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.