Indiana Agency Notifies 188,000 of BreachBusiness Associate's Programming Error Apparent Cause
The Indiana Family and Social Services Administration is notifying almost 188,000 clients that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate. The information potentially exposed includes Social Security numbers for about 4,000 clients.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
FSSA administers the state's Medicaid program and also coordinates the state's mental health, addiction and developmental rehabilitation services.
The agency says the accidental disclosures may have occurred when RCR Technology Corp., one of its contractors, made a computer programming error in a document management system the contractor supports. "This error caused an undetermined number of documents being sent to clients to be duplicated and also inserted with documents sent to other clients," the agency said in a statement. "This means some of the clients may have received documents belonging to other clients along with their own documents."
Extent of the Breach Unclear
A FSSA spokeswoman says the contractor responsible for the mistake was unable to determine how many individuals were actually sent the erroneous documents. However, as of July 8, only 14 people had contacted FSSA about receiving the incorrect papers, she says.
"Because the vendor wasn't able to identify definitively those who were impacted, we're forced to notify everyone who might've been affected," the spokeswoman says. "We don't have any idea how many people were impacted, but we strongly believe the number was small."
If the Department of Health and Human Services confirms in an investigation that 188,000 were potentially affected, this would be the largest healthcare information breach in 2013 so far, according to the HHS breach tally. As of July 8, the incident was not yet listed on the HHS breach site.
The potentially breached information, the agency says, may have included name; address; case number; date of birth; gender; race; telephone number; e-mail address; types of benefits received; monthly benefit amount; employer information; financial information, such as monthly income and expenses, bank balances and other assets; certain medical information, such as provider name and whether the client receives disability benefits; medical status or condition; and certain information about the client's household members, including names, genders and dates of birth.
Of the 187,533 clients who may have been affected, 3,926 may have had their Social Security numbers disclosed. This is being noted in the specific letters being sent to this smaller group, the agency notes.
The programming error was made on April 6, 2013, and affected correspondence sent between April 6, 2013, and May 21, 2013, according to the statement. The error was discovered on May 10, 2013. RCR determined the root cause of the programming error and it was corrected on May 21, 2013.
FSSA has not offered to pay for services to affected clients, such as credit monitoring, the spokeswoman says. In notifications, clients are being advised of steps they can take for free to protect themselves against identity theft, she says. This includes placing a fraud alert on their credit report by calling the toll-free number of any of the three credit bureaus. A fraud alert places a note on a credit report for 90 days requiring creditors to verify identity before granting credit.
Those clients who may have had their Social Security information disclosed are being advised to place a security freeze on their credit reports from the three major credit agencies. "This can block an identity thief from opening a new account or obtaining credit in the client's name," according to the FSSA statement.
Business Associate Breaches
According to HHS' breach tally, about 22 percent of all major health data breaches since September 2009 have involved business associates. And so far in 2013, about 29 percent of breaches have involved business associates (see: Fewer Health Breaches, But Same Culprit).
Some breaches involving business associates are very difficult to prevent, says Kate Borten, president of security consulting firm The Marblehead Group. "I don't have any clients with the resources to have been monitoring their business associates to such a degree they'd have prevented this," she says.
Borten adds: "As a former programmer, I have concerns that organizations' software coding and testing standards are not always as rigorous as they should be. Yet in these times of networked systems, widespread software development, and comingled customer data, coding errors can have much more serious consequences than in years past. This breach should be a warning to any organization dependent on another company for software. Some companies 'get it;' they understand the risk and they impose strong internal controls. But other companies may have lax practices that raise the risk of breaches."
FSSA's statement says that RCR Technology "is in the process of ensuring that none of the affected clients' electronic case files contain information about other clients as a result of this error. The company also is taking steps to improve their computer programming and testing processes to prevent similar errors from occurring in the future."
RCR Technology did not reply to a request for comment on the breach incident.