Legal action difficult in Medicaid data breach

By Wendy Leonard | Posted - April 13, 2012 at 7:52 p.m.

 

Save Story
Main Story Video
Leer en español

Estimated read time: 5-6 minutes

This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.

SALT LAKE CITY — There aren't many breaches of secure information large enough to report to the U.S. Department of Health and Human Services, but when they do happen, there is little recourse for individuals who are affected.

The only possible remedy would come from enforcement of a violation of the Health Information Portability and Accountability Act, if one is substantiated in the first place, according to Tenielle Brown, an associate professor at the University of Utah's S.J. Quinney College of Law.

In Utah, action would have to be taken by the state's attorney general or the federal Office for Civil Rights.

"Of the two parts of the HIPAA rule, the privacy rule is trying to get at that unauthorized disclosure of patient medical records," Brown said. "It doesn't appear to be what happened in this case. It appears it was a security breach just by failing to have adequate safeguards in place."

In the case of Utah's recent Medicaid information breach — in which the health information of approximately 780,000 Utahns, including potentially 255,000 Social Security numbers, was compromised — individuals would have to prove financial harm, which might take years to realize, Brown said.

Were you affected?
The state is offering to cover the costs of up to a year of credit monitoring services for each person impacted.
More information can be found online, at www.health.utah.gov.
An information hotline is also available, by calling 1-855-238-3339, toll-free.

"It's unsatisfying to have to wait that long and then bring it through the often lengthy court process as well," she said, adding that the biggest effect of last week's breach might be loss of public trust in the Medicaid system.

"There aren't alternatives to providing these services," Brown said. Private information is pertinent to obtaining health insurance and medical care. "You have to give up that information."

Possible legal action

It is possible that Utah may incur fines for not securing the information properly, up to $1,000 per record that was compromised. But Brown said it is a long shot for any person to go after the state themselves.

"A person would have to show that there was something reckless done by the state," she said. "And it doesn't sound intentional in this case."

Only violations affecting more than 500 people get reported to the federal government and the last reported offense occurred in Indiana, where health information of 20,000 people was presumed stolen. Utah's breach isn't the largest in the country, but ranks up there with some of the most substantial in history.

I think the protocols need to be strengthened. This was more than just a misconfigured server, it was also a lack of things like encryption and proper internal access control.

–- Matt Might, U. of U.

It is, however, the most extensive case ever to occur within the state.

"I think the protocols need to be strengthened," said University of Utah computing professor Matt Might. "This was more than just a misconfigured server, it was also a lack of things like encryption and proper internal access control."

What infiltrators look for and what they do with data they find

Hackers traced to an Internet protocol address in Eastern Europe are suspected to have accessed the state's information during a time of particular vulnerability, late in the day on March 30. Medicaid information is housed on any one of 125 of the state's 520 networked servers that is used by the Utah Department of Health.

Might said the supposed infiltrators are likely specialized information thieves and the information they retrieved will or already has been sold on the black market, "which is huge for this sort of thing."

In addition to applying for credit cards, individuals who are familiar with the value of such personal information, he said, could likely use it to help illegal immigrants file for employment, file fraudulent tax returns and purport Medicare and Medicaid fraud, which is already a $50 billion problem in the U.S.

"Once it's out there, it's out there," Might said. "You could put a fraud alert on your credit report, but that's all you can do."

What's being done by the state

Related:

Medicaid data breach is worse than thought

The security breach of one of Utah's computer servers that houses Medicaid and Children's Health Insurance Program information affected more than 181,600 people, officials said Friday after having a week to assess the damages.

Fortunately, the immediate vulnerabilities of the breached system, and perhaps others, have been closed, but he hopes the state has learned its lesson.

"This is a major wake-up call to everyone," Might said.

The health department is currently attempting to contact any affected individuals via official letterhead, mailed to the homes of those whose information was involved in the breach. Rumors of scams have already come to light, as people are being contacted by phone and text, as well as emails, regarding the compromised information.

"Crooks watch the news as well as the good guys. We want to make sure we don't have any more victims," said Francine Giani, director of the Utah Department of Commerce. She said any contact regarding the situation will come directly from the UDOH.

"We want to make sure we take care of those people whose names and information has been out there," Giani said, adding that it is possible that some people may end up needing new Social Security numbers when all is said and done, which she admitted, is "a little bit of a bother."

What individuals can do

Giani said that regardless of this information breach, everyone should keep an eye on their credit reports, at least once every couple of years, "to make sure everything is accurate and correct."

While no victims have reported formal complaints, the agencies hope to thwart any fraudulent schemes by alerting the public, and the state is notifying everyone impacted by letter.

"The key is we want to be able to stop any potential problem from happening in the future," said Executive Director of the Utah Department of Commerce, Francine A. Giani. "So we want the public to know they will not be reached by telephone, text or email. It will be by a letter."

She also reminded consumers that government agencies will never ask for personal information over the phone, by text or by email. Consumers are reminded to never give out personal account information, social security numbers or other identifying information to strangers.

The state is offering to cover the costs of up to a year of credit monitoring services for each person impacted. More information can be found online, at www.health.utah.gov. An information hotline is also available, by calling 1-855-238-3339, toll-free.

Contributing: John Daley, Jasen Lee

Related links

Related stories

Most recent Utah stories

Related topics

Utah
Wendy Leonard

    Most Viewed

    STAY IN THE KNOW

    Get informative articles and interesting stories delivered to your inbox weekly. Subscribe to the KSL.com Trending 5.
    By subscribing, you acknowledge and agree to KSL.com's Terms of Use and Privacy Policy.

    KSL Weather Forecast

    Mobile Apps | Newsletter | Advertise | Contact Us | Careers with KSL.com
    Terms of use | Privacy Statement | DMCA Notice | Do Not Sell My Data | EEO Public File Report | KSL-TV FCC Public File | KSL FM Radio FCC Public File | KSL AM Radio FCC Public File | Closed Captioning Assistance
    © 2024 KSL.com | KSL Broadcasting Salt Lake City UT | Site hosted & managed by Deseret Digital Media - a Deseret Media Company