On February 1, 2010, 49,352 Medi-Cal beneficiaries were mailed information and their social security numbers were on the address mailing labels.
The first question this raises is why the mailing house or mail room had the recipients’ social security numbers in the first place? Assuming we can get past that, should we assess how the government deals with these types of security breaches and act accordingly?
As a curative notion, Medi-Cal advises that it has sent notification letters to the 49,352 beneficiaries alerting them to the security breach. The letter also advised beneficiaries how to protect themselves from identity theft by contacting the three credit reporting agencies and placing a fraud alert on their files.
We can contrast this with the security breach that occurred with HealthNet who offered its beneficiaries two years of credit bureau monitoring for free. In light of the government’s position, was this move by HealthNet excessive?
In fact, HealthNet is not the only organization that has gone to that length when there were breaches of PHI.
Considering that Medi-Cal is a senior program, one can only wonder what benefit the letter containing information as to how to contact the credit reporting agencies is really worth.
At this point, one might think that the breach at HealthNet was more troublesome than the breach at Medi-Cal. I leave it to the readers of this article to decide.
In the case of HealthNet, an optical drive was missing, and while the information was not encrypted, special software would be needed to be able to view it. One might argue that the likelihood of the drive ending up in a landfill and/or in the hands of someone who neither knew what it contained nor had the ability to extract the information was most likely.
In the case of Medi-Cal, the information was apparently front and center on every envelope. Of course Medi-Cal’s position is that because the numbers were not separated by hyphens they were not clearly identifiable as a social security number. I think that the press coverage of this incident may auger in favor of the fact that the masses know what those nine digits represent.
On the other hand, in the case of HealthNet, a single person having possession of the optical drive would have access to many different health records whereas in the case of the Medi-Cal situation, the almost 50,000 letters are spread throughout the state – unless you have access to the mailbox at senior citizens communities.
Should the Medi-Cal mishap serve as guidance to the private sector?
Considering that the government has allowed the covered entities to do their own risk assessments in the case of unauthorized dissemination of PHI, the Medi-Cal case would apparently give a lot of latitude in the risk assessment process.
Which brings us to the basic question; will the government be held to the same standard as the private sector, and on the other hand, should the private sector learn from how the government deals with HIPAA and HITECH breaches?