State Medicaid agencies are more likely to experience a breach affecting a single individual, rather than a large-scale incident affecting numerous patients, according to a report from the Office of Inspector General at HHS.
The OIG gathered information related to the 1,260 breaches state Medicaid agencies and their contractors reported experiencing in 2016 for the report. The OIG also surveyed Medicaid agencies from all 50 states and Washington, D.C., about their processes for responding to data breaches and reviewed documents from agencies in nine states to learn how they responded to breaches in 2016.
Most of the breaches state Medicaid agencies and their contractors reported disclosed information about a single individual, and typically resulted from misdirected letters or faxes. By contrast, large breaches — such as those resulting from hacks to a computer system — were rare.
The OIG also determined most state Medicaid programs followed a common framework when responding to data breaches — which often didn't include notifying CMS, despite CMS issuing guidance in 2006 advising states to inform the agency of breaches of Medicaid data. Most states acknowledged they do not routinely send this information to CMS.
Most states' response plans to data breaches comprised four steps: (1) learning about the incident, (2) assessing the incident, (3) taking steps to protect those affected and (4) correcting vulnerabilities. Depending on the circumstances and severity of the breach, states will also notify affected individuals and HHS' Office for Civil Rights.
The OIG recommended that CMS reissue its guidance to state Medicaid agencies regarding reporting Medicaid breaches to CMS in response to its findings. "Collecting information on a national scale regarding Medicaid data breaches could help CMS identify breach trends and promote effective state responses," the OIG wrote in its report.
CMS agreed with the recommendation.
To download the OIG's report, click here.