LITTLE ROCK, Ark. (News release) – The Arkansas Department of Human Services (DHS) has determined that spreadsheets with personal and health information for some Medicaid beneficiaries were emailed to an employee’s home email address, constituting a breach of information as described in state and federal law and DHS policy.
After manually counting and sorting names to identify duplicates, DHS found that there were 26,044 unique names of Medicaid beneficiaries on the spreadsheets with linked Medicaid identification numbers, some social security numbers and codes for medical procedures that beneficiaries underwent.
“We at DHS want to make sure beneficiaries are aware of this situation, understand what happened and know the steps we are taking to ensure something like this doesn’t happen again,” said DHS Director Cindy Gillespie. “The privacy of beneficiaries is important to us, and we take this situation very seriously.”
The emailed spreadsheets were discovered as attorneys prepared to represent DHS in court against a wrongful termination lawsuit. The DHS privacy officer was notified by attorneys of the emails and reviewed the materials to determine the scope of the breach.
DHS is sending a letter to affected beneficiaries, and all DHS employees have been reminded about the responsibility DHS has to protect beneficiary information.
Gillespie noted that all DHS employees undergo security and privacy training and cannot gain internet access at work until they pass a test on what they were taught. The training includes the prohibition of emailing confidential information outside the scope of a person’s job. DHS is working with attorneys to recover the spreadsheets and has contacted the Pulaski County Prosecuting Attorney’s office to pursue criminal charges and prosecution.
The DHS Office of Security, Compliance and Integrity will review the situation to determine whether there are additional steps DHS can take ensure this does not happen again.