An employee and a supervisor of Kansas Department of Aging and Disability Services (KDADS) were fired in February for sending emails containing PHI of about 11,000 individuals, according to HealthDataManagement.
The employees intended to send lists of case assignments to each of the agency’s business associates (BAs). Instead, all lists of case assignments and accompanying information were sent to all BAs.
No financial information was included in the emails; however, social security numbers, gender, and in-home services program participation information, and Medicaid numbers were among the identifiers.
The emails were only sent to KDADS’s BAs who are required to protect the information under their business associate agreements. Nevertheless, KDADS informed the affected individuals of the incident. Affected individuals were advised to put a security freeze and fraud alert on their credit reports.
No other details about the incident or what caused the error were provided. It is unknown whether the emails were encrypted, although it likely would not have made a difference in KDADS’s decisions to terminate the employees or notify the affected individuals. KDADS has only indicated it is installing safeguards to prevent a re-occurrence.
Whatever the specific causes, an incident like this indicates a breakdown in procedures related to handling and distributing PHI. This incident should serve as a warning to other organizations to review their own PHI handling procedures. Do you have clear methods for distributing PHI to business associates and other Covered Entities in a secure manner, such as using only encrypted email or file sharing? What processes are in place to verify that PHI is being sent only to those who need it? How often are staff trained in these procedures, and how comfortable are they with following them? What checks are in place to prevent an accidental breach like this from occurring in your organization? Clear policies and procedures, proper training of staff, and appropriate physical, technical, and administrative safeguards give your organization the best chance of avoiding an error such as this.