The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Multiple Data Breaches Reported by Iowa Medicaid and South Jersey Behavioral Health Resources

Posted By on Jun 8, 2023

The Iowa Department of Health and Human Services has announced there have been three separate breaches of the protected health information of Iowa Medicaid recipients in the past two months – two hacking incidents and an impermissible disclosure, all three of which involved third-party contractors.

The largest breach was at the Medicaid contractor, MCNA Dental, which resulted in the exposure and potential theft of 233,834 Iowa Medicaid recipients. The MCNA Dental data breach impacted more than 8.9 million individuals across the country. An unauthorized third party gained access to MCNA Dental’s systems on February 26, 2023, the breach was detected on March 6, 2023, and the unauthorized access was blocked the following day. The LockBit ransomware gang claimed responsibility for the attack and potentially obtained names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. MCNA Dental has offered affected individuals complimentary credit monitoring services.

The Iowa Department of Health and Human Services has also confirmed a breach of the protected health information of Iowa Medicaid recipients due to an error at Amerigroup. Explanation of payment notices containing the information of 833 Iowa Medicaid recipients were sent to 20 providers in error. Names, addresses, Social Security numbers, and health insurance were impermissibly disclosed. Amerigroup is sending notification letters to those individuals.

Another breach was confirmed in April at one of its contractors, Telligen, Inc., which performs annual assessments for Medicaid members to ensure they are receiving the correct level of care. Telligen subcontracted part of that work to Independent Living Systems (ILS), where the data breach occurred in June and July 2022. The protected health information of approximately 20,800 Medicaid members was compromised in the attack. In total, more than 4 million individuals were affected by the ILS data breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

South Jersey Behavioral Health Resources Victim of Two Security Breaches

South Jersey Behavioral Health Resources (SJBHR) in Camden, NJ, an Inperium affiliate that provides residential, outpatient, adult partial care, telehealth/telecounseling, and homeless services, has recently announced two breaches of the protected health information of patients in quick succession.

The first incident was a business email compromise/phishing attack. An employee received a request for an Accounts Receivable Report from what appeared to be the legitimate account of a member of the SJBHR fiscal office. An email was sent in response that included patient names, dates of service, types of service, and billing codes. The breach was detected the following day. Additional training was provided to all staff members in response to the incident to help them identify and avoid email scams in the future.

A few days later, on April 5, 2023, SJBHR was the victim of a ransomware attack that resulted in files being encrypted on certain computer systems. The forensic investigation confirmed the attackers gained access to its systems on April 3, 2023. No evidence was found to indicate access to or the theft of patient data, but the systems compromised in the attack included files containing names, contact information, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information.

In response to the ransomware attack, policies and procedures have been reviewed and additional data security measures have been implemented. SJBHR does not believe the two incidents are related. The HHS’ Office for Civil Rights data breach portal indicates the email incident affected 2,193 individuals. The ransomware attack is not yet showing on the breach portal.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist