Lost USB drive source of breach for Utah Medicaid patients

 
 
 
 - USB, privacy, security, patient data, record
 

The Utah Department of Health (UDOH) has begun the process of notifying approximately 6,000 Medicaid clients that some of their personal information was misplaced by a third-party contractor. The contractor, Goold Health Systems, processes Medicaid pharmacy transactions for the UDOH.

In violation of department policy and its contract with the department, a Goold employee saved personal health information on an unencrypted, portable USB memory device and then left UDOH headquarters with the device, according to a release. The employee misplaced the device while traveling between Salt Lake City, Denver and Washington, D.C. Goold confirmed the data were missing on Jan. 15.
 
Personal information included in the data is limited to a Medicaid recipient’s name, Medicaid identification number, age (but not date of birth) and recent prescription drug use history. 
 
The department is taking steps to protect the affected Medicaid identification numbers against potential fraudulent use. The Office of the Inspector General for Medicaid Services has been alerted to the situation and will also be monitoring for suspicious activity. In addition, the Office of the Health Data Security Ombudsman will commit its full resources to assisting affected clients in any way they need.
 
Medicaid clients whose information was involved will receive letters from the UDOH alerting them to the situation within the next several days.
 
“I have directed UDOH attorneys to review our contract with Goold Health Systems, and I fully intend to seek whatever financial or contractual remedies are available in order to ensure [Goold] is held accountable for this serious mistake,” said UDOH's Executive Director W. David Patton, PhD. “Protecting our clients’ personal information is of utmost importance to our department, and it must be the number one priority of our contractors as well.”
 
Patton also said he expects Goold to assure the appropriate disciplinary action is taken, and that the responsible employee no longer be allowed to work with UDOH data.