The OIG gathered information related to the 1,260 breaches state Medicaid agencies and their contractors reported experiencing in 2016 for the report. The OIG also surveyed Medicaid agencies from all 50 states and Washington, D.C., about their processes for responding to data breaches and reviewed documents from agencies in nine states to learn how they responded to breaches in 2016.
Most of the breaches state Medicaid agencies and their contractors reported disclosed information about a single individual, and typically resulted from misdirected letters or faxes. By contrast, large breaches — such as those resulting from hacks to a computer system — were rare.
The OIG also determined most state Medicaid programs followed a common framework when responding to data breaches — which often didn’t include notifying CMS, despite CMS issuing guidance in 2006 advising states to inform the agency of breaches of Medicaid data. Most states acknowledged they do not routinely send this information to CMS.
Most states’ response plans to data breaches comprised four steps: (1) learning about the incident, (2) assessing the incident, (3) taking steps to protect those affected and (4) correcting vulnerabilities. Depending on the circumstances and severity of the breach, states will also notify affected individuals and HHS’ Office for Civil Rights.
The OIG recommended that CMS reissue its guidance to state Medicaid agencies regarding reporting Medicaid breaches to CMS in response to its findings. “Collecting information on a national scale regarding Medicaid data breaches could help CMS identify breach trends and promote effective state responses,” the OIG wrote in its report.
CMS agreed with the recommendation.
To download the OIG’s report, click here.
More articles on payers:
Hack on ACA sign-up portal jeopardizes 75K records
15 insurers to enter MA market in 2019
Do private Medicaid plans boost quality, cost savings? Evidence is shaky, report says
