Medicaid Data Breach Trends: An AnalysisOne Big Hacker Incident Responsible for Most Victims Impacted in 2016
Medicaid agencies and their contractors reported more than 1,200 data breaches in 2016. And while those breaches included only a handful of hacking incidents, one of those affected more than 70 percent of all individuals that were impacted by Medicaid data breaches, according to a new federal watchdog agency report.
In its report, the Department of Health and Human Services' Office of Inspector General says of the 1,260 breaches reported by state Medicaid agencies and their contractors in 2016 - which impacted a total of 515,000 individuals - most were small incidents affecting one to nine individuals and involving unauthorized access/disclosures, such as misdirected letters and faxes.
"I am not surprised that most of the volume of breaches are small," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "I am surprised that there aren't more hacking incidents, and I suspect there are more incidents than are reported. But I do not know whether there is a choice not to report or the entity does not know there has been an incident."
OIG conducted the study by collecting submissions from all 50 state Medicaid agencies - plus the District of Columbia - containing information about all breaches that they and their contractors experienced in 2016.
Of the submissions to OIG, 36 states reported Medicaid breaches in 2016, the watchdog agency notes. About two-thirds of the breaches were experienced by Medicaid contractors, with a third by Medicaid agencies.
Few Hacking Incidents, But Big Impact
Less than 1 percent of the breaches - nine incidents - were reported as hacking incidents, but the largest of those hacks impacted 370,000 individuals, or 72 percent of all Medicaid beneficiaries affected by breaches in 2016, OIG writes.
Although the OIG report does not identify the state reporting that large hacking incident, the Washington State Health Care Authority on Dec. 21, 2016, issued a statement saying that approximately 370,000 clients of the state's Medicaid program - called Apple Health - had been affected by a hacking incident involving a vendor of Community Health Plan of Washington, one of five managed care plans that serves Apple Health patients.
The Washington State Health Care Authority confirmed to Information Security Media Group that it's the Medicaid agency that reported the large hacker breach spotlighted in the OIG study.
The HHS Office for Civil Rights' HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - also shows that Community Health Plan of Washington reported to OCR a hacking incident on Dec. 21, 2016.
In reference to that major hacking breach, the OIG report notes: "The state said that the breach was caused by an individual who hacked the computer server of a managed care organization's business associate and had access to names, dates of birth, diagnosis information and Social Security numbers. The state concluded that there was no evidence that the individual intended to use the information fraudulently."
The other eight reported hacking incidents were much smaller, affecting a combined total 5,500 individuals, OIG writes.
The Medicaid breaches tied to hackers "resulted from ransomware and phishing attacks, and other attempts to access sensitive data or systems without authority," the OIG writes. "The targets of the hacking incidents were managed care organizations and other health plans as well as their subcontractors, such as data processing companies and laboratory facilities."
OIG found that all 50 states and the District of Columbia appear to follow a "common framework" for processes involving collecting information about breaches and suspected breaches and determining whether to report these incidents to federal agencies, including the HHS Office for Civil Rights, which produces the HIPAA breach tally.
But OIG found that reporting incidents to HHS' Centers for Medicare and Medicaid Services is not always a part of states' breach response processes, despite CMS advising states in a 2006 to report breaches to that federal agency as well.
"Most states told us that they do not routinely inform CMS of Medicaid breaches that they or their contractors experience," OIG writes.
In a 2006 letter to state Medicaid directors, CMS explained the importance of the security and privacy of beneficiary information and instructed Medicaid agencies that they "should immediately report a breach, whether discovered by [an agency's] own staff or reported by a contractor."
In its 2007 response to states' questions about the state Medicaid director letter, CMS explained that it periodically analyzes breach data to identify possible weaknesses in states' information systems or trends in changes to states' policies on the security of their systems.
Despite the failure of many states to report breaches to CMS as required, the states overall appear to do a better job at notifying affected individuals and having processes for helping protect beneficiaries from financial harm resulting from breaches. That includes offering beneficiaries credit monitoring services and protection against identity theft, OIG notes.
In the report's sole recommendation, OIG suggests that CMS reissue guidance to states about reporting Medicaid breaches to CMS. "Collecting information on a national scale regarding Medicaid data breaches could help CMS identify breach trends and promote effective state responses," OIG writes.
CMS concurred with OIG's recommendation, the report notes.
Sizing Up Medicaid Breaches
So how do privacy and security experts size up OIG's findings about Medicaid data breaches?
Kerry McConnell, a partner and principal consultant at consultancy tw-Security, notes that it's possible that Medicaid agencies could be classifying some incidents involving hackers as other types of breaches.
"Data management is a huge challenge for Medicaid agencies, and it is not uncommon for states to have hundreds of data interfaces/exchanges as it relates to managing/reporting on their programs," he notes. It's possible that some incidents are categorized "as 'mismanagement of data' and not a 'hack' per se," he says.
Nahra, the attorney, says it's unclear why many Medicaid agencies and vendors aren't following the requirement of reporting breaches to CMS.
"It is not clear to me whether the relevant entities realize there are different reporting rules here. At the same time, it is not clear to me why there is a need for separate reporting rules," he says.
Missed the Mark?
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says OIG "missed the mark" in its study of state agencies response and reporting of breaches of Medicaid data.
"The OIG report found evidence that some states are not using the appropriate standard called for in the [HIPAA] Breach Notification Rule to assess incidents because they impermissibly measure the risk of identity theft or "harm" as a factor to determine if there is a reportable breach, he notes.
"All in all, the OIG study raises more questions than it answers."
—David Holtzman, CynergisTek
In other examples, states had processes in place that omitted reporting to OCR incidents that they had determined were breaches, he says. "Most puzzling is that 15 of the 51 state Medicaid agencies reported that they had not identified a single reportable breach in all of 2016. All in all, the OIG study raises more questions than it answers," Holtzman says.
Like private health plans, Medicaid agencies maintain large amounts of member data that is subject to outside hacks, insider threats and breaches due to carelessness, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "But Medicaid agencies may have less resources than private plans to combat this constant barrage of threats."
Nahra notes the OIG report indicates that "there are real risks from government entities, who play a dual role as regulator and participant. It's never been clear whether the government entities meet the same standards at the same level as the private entities that face more realistic risks of investigations and enforcement.
When vendors are involved in Medicaid breaches, sorting out reporting duties is sometimes tricky, McConnell, the consultant, notes.
"Most state programs follow a multivendor model now - less than a dozen states self-administer their [Medicaid] programs - so figuring out where the breach first occurred, who did what, or who is at fault is a challenge. This complicates reporting responsibilities," he says.
But confusion about breach reporting is also a problem among private sector healthcare entities and their business associates, Greene notes.
"Some business associates do not understand that their reporting obligation is typically only to the covered entity," he says. "Most large covered entities are aware of their requirement to report breaches to OCR, but they may not realize when they also must report to state regulators under state law."