AccessHealthCT, the health insurance exchange in Connecticut, announced that an employee of a contractor left a backpack containing the protected health information of 400 of the state’s residents on the street. The information left behind was written on a notepad and included various combinations of the customers’ names, birth dates and Social Security numbers.
The backpack was found outside of deli on Trumbull Street in downtown Hartford. The exchange is located down the street. The contractor who employed the owner of the backpack is Maximus,-the firm that operates the exchange’s call center.
In an initial statement released on June 6 (the day on which the incident occurred), AccessHealthCT CEO Kevin Counihan said they were working with Maximus to address the situation, including the possibility of identity theft as a motive of the individual who left the backpack. The legal department at AccessHealthCF was also said to be filing all required state and federal breach reports.
Maximus’ COO told the Hartford Courant on June 7 that fewer than 200 Social Security numbers were on the notepad. Maximus put the suspected employee on an administrative leave and has since then investigated the incident further—an investigation which led to the conclusion that the employee was acting without malicious intent.
Without detailed knowledge of the situation, it may be possible that fraud was not a motive –It is possible that the employee was legitimately taking notes and simply forgot that the notebook was in the backpack. Maximus did state that employees are prohibited from removing protected information from the facility and therefore the employee presumably (and perhaps unknowingly?) violated this policy.
Since the breach’s discovery, Maximus sent 395 letters to those affected offering them options to help protect their identity at the company’s expense. These options include credit monitoring, fraud resolution services, identity theft insurance, and security freezes of credit reports.
What are the key takeaways for HIPAA-covered entities?
- All employees, including contractors and employees of contractors, should be thoroughly trained on your organization’s privacy and security policies
- All employees should be responsible for reporting any suspicious or unusual behavior. For example, is someone making notes when there is no legitimate need to do so?
- Policies regarding paper records should be clearly documented in policies and procedures.
- Other controls, discussed in this post, are also appropriate to prevent and deter fraudulent behavior.
Additional controls that are helpful to enact prevent fraudulent behavior include those we covered in this recent blog post about the indictment of a tax fraud gang in Alabama that stole the personal information of patients served by a military hospital, an unnamed state department and other facilities.
