Why OIG Did This Review State Medicaid agencies and their contractors maintain and process health information for millions of beneficiaries. Prior OIG reviews have identified vulnerabilities in States' information systems and controls--vulnerabilities that could have resulted in unauthorized disclosure of protected health information (PHI). States must be prepared to respond to breaches to limit potential harm, such as identity theft and fraudulent billing. How OIG Did This Review. We collected information about all breaches that Medicaid agencies and their contractors reported experiencing in 2016. We also surveyed 50 States and the District of Columbia to learn more about their processes for responding to breaches of PHI. Lastly, we interviewed and reviewed documents from officials in nine States to learn more about how each State responded to a specific breach that we selected and about their breach-response processes more generally. For each of these nine breaches, we examined how the State learned about the incident; how it determined whether the incident constituted a breach under HIPAA; how the State and others investigated the breach; and what actions the State took to protect its beneficiaries and programs and to correct vulnerabilities. What OIG Found. In 2016, State Medicaid agencies and their contractors identified 1,260 data breaches. The characteristics of these breaches varied widely, but they typically affected few beneficiaries; often resulted from misdirected communications, such as letters and faxes; and exposed beneficiaries' names and Medicaid or other identification numbers. Breaches that resulted from hacking or other IT incidents were rare. Most States' breach-response plans follow a common framework: (1) learning about incidents; (2) assessing incidents and determining how to respond; (3) taking steps to protect those affected; and (4) correcting vulnerabilities. However, the specific actions that States take vary depending on the circumstances of each breach and on any applicable State laws and requirements. These State actions address the potential harm that breaches can pose to Medicaid beneficiaries and programs. Almost all States reported learning about breaches from contractors and their employees. Many States also have received breach reports from beneficiaries and/or their family members and medical providers. For some breaches, State Medicaid agencies and their contractors conducted forensic analyses of their information systems and worked with law enforcement agencies to further investigate the breaches. States reported that, in their efforts to protect Medicaid beneficiaries, they notified people who were affected by breaches and typically offered them services for credit monitoring and for protection against identity theft. In some cases, States reported issuing beneficiaries new Medicaid identification numbers when the old numbers were compromised. States described corrective actions, such as retraining employees; modifying policies and procedures; and restricting access to protected health information to address vulnerabilities that allowed the breaches to occur. States' breach-response processes also address the requirements under the Breach Notification Rule--part of the Health Insurance Portability and Accountability Act (HIPAA)--for States to notify affected individuals and the Department of Health and Human Services' Office for Civil Rights. In 2006, the Centers for Medicare & Medicaid Services (CMS) issued guidance advising States to inform CMS of breaches of Medicaid data. Some States stated that they report breaches to CMS in certain circumstances; however, most States said that they do not routinely do so. What OIG Recommends and Agency Response. We recommend that CMS reissue guidance to States about reporting Medicaid breaches to CMS. Collecting information on a national scale regarding Medicaid data breaches could help CMS identify breach trends and promote effective State responses. CMS concurred with our recommendation.
The National Library of Medicine believes this item to be in the public domain. (More information)