The private health information of more than 13,000 Tennessee Medicare recipients was released to the public by a state contractor — the most wide-ranging breach nationally uncovered by federal investigators.
A just-released report, from the Department of Health and Human Services Office of the Inspector General, found 14 breaches of protected health information between 2009 and 2011 by the federal agency that administers Medicare and Medicaid. The largest breach of records took place in Tennessee.
Those are exactly the kind of records that, if in the wrong hands, can lead to medical identity theft, a scam that hurts both those on Medicare and the taxpayer. Scams run the gamut from the simple, when thieves use someone’s medical information to get prescription drugs, to the complex, when sham doctors’ offices use the information to bill the government for quick cash.
“The information obtained can be used to file false claims under Medicare or TennCare,” Yarnell Beatty, the Tennessee Medical Association’s director of legal and government affairs told TNReport. TennCare is the state’s version of Medicaid, the healthcare program for the poor. “Even one breach is cause for concern.”
The report stated that medical identity theft “can lead to erroneous entries in beneficiaries’ medical histories and even to the wrong medical treatment” and “may also lead to significant financial losses for the Medicare Trust Funds and taxpayers.”
Beatty also noted that given the millions — and perhaps billions — of Medicare transactions each year, some breaches are to be expected.
If the breaches are a concern, so was how federal officials’ reacted in wake of those breaches, according to the report. Medicare recipients at risk of having their medical information stolen were notified, but it appears those notifications left much to be desired.
The notifications for these breaches often were missing required information. Notably, the notification letters for six of the breaches did not explain how the contractors were investigating the breach, mitigating losses, or protecting against further breaches. … Moreover, notification letters for half the breaches, including the largest breach [in Tennessee], were missing either the date the breach occurred or the date it was discovered.
Many times, the information inadvertently released included beneficiaries’ names, Medicare identification numbers, dates of birth, diagnoses and services received.
The Tennessee breach affected 13,412 beneficiaries. A printing error by a Medicare contractor caused the notices to be sent to incorrect addresses, according to the report.
Most of the breaches, including the one in Tennessee, were accidental, according to the report, but one of the 14 breaches was found to be criminal in nature.
“You can’t totally eliminate human error, although you strive to,” Angie Madden, the director of eHealth Service at the Tennessee Medical Association, said.
But Madden pointed out a silver lining. She said that the Centers for Medicare & Medicaid Services — the federal agency that oversees both those entities and was the subject of the report — “have done a fairly good job of education the public and beneficiaries” when it comes to fraud.
Editor’s Note: This story was updated on Oct. 25 to make clear that the printing error leading to the data breach was made by a Medicare contractor.