DHHS mailing mistake could open NC up to fines, suits

Posted January 7, 2014

— A privacy breach involving the personal information of thousands of Medicaid recipients could result in fines and lawsuits against the state Department of Health and Human Services, an attorney said Tuesday.

DHHS was trying to issue new cards to 70,253 children who were switched from the N.C. Health Choice program to Medicaid under new eligibility rules, but nearly 70% of the cards – 48,752 – went to the wrong Medicaid recipients last week. The cards show a child's name, Medicaid ID number, date of birth and primary care physician, but don't include any Social Security numbers.

Acting Medicaid Director Sandra Terrell blamed a computer programming error for the mix-up, saying that a program to extract information from a DHHS database used the wrong names and addresses of parents or guardians.

DHHS acknowledged Monday that the error was a breach of federal health care privacy regulations under the Health Insurance Portability and Accountability Act, or HIPAA.

A message obtained by WRAL News shows DHHS warned county social services agencies about the mis-mailed cards a week ago, but the agency didn't tell the public about it for another three days – after some media had reported it.

"There's a lot of problems over there," said attorney Knicole Emanuel, who specializes in Medicaid law and information privacy.

Federal law includes steep penalties for violating patient privacy. Each violation carries a fine of up to $50,000.

"There's a $1.5 million cap on penalties annually, but the thing is that, if (the U.S. Department of Health and Human Services) decides North Carolina violated more than one statute, we could get that penalty of $1.5 million – the cap – more than one time," Emanuel said.

The delay in notifying people of the error could play a role in that decision, she said. Under HIPAA, people affected by a privacy breach are supposed to be notified immediately.

"The time frame between them knowing and ... it becoming public can be a factor in the penalties," Emanuel said.

In 2012, Alaska's state health agency was fined $1.7 million by the U.S. Dept. of Health and Human Services for security flaws throughout its computer systems. Emanuel said it's not clear whether North Carolina would face similar penalties. 

DHHS spokeswoman Julie Henry said the agency has followed the law.

Officials first had to confirm there was a privacy breach under HIPAA, Henry said, adding that the confirmation came on Jan. 6. The New Year's Day holiday caused a delay in gathering information, Henry added, but DHHS alerted the public as soon as the full scope of the problem was clear.

Emanuel said affected families also could file suit over the mis-mailed Medicaid cards.

"The HIPAA act provides a private right to sue to citizens," she said.

Attorney General Roy Cooper advised families who have been notified someone else received their child's Medicaid card to be on the lookout for potential fraud or identity theft.

Parents should contact Equifax, Experian and TransUnion to see if their child has a credit report. Most children under 18 won't have one, but if one exists, he said, parents should request a fraud alert and place a freeze on it to block anyone from taking out a loan or applying for a credit card under the name.

Cooper said people also should monitor statements of medical services to see if anyone has improperly used a child's Medicaid ID.

DHHS officials are investigating how the error occurred, and they are mailing new Medicaid cards to the affected families. People who received a card in error can either shred it or turn it in to a local Department of Social Services office.


This blog post is closed for comments.

Oldest First
View all
  • InTheNo Jan 9, 2014

    Surely the federal government won't fine this NC administration, will they?

  • wenfromwake Jan 9, 2014

    Need a wide investigation of all of DHHS. 5 month wait after adoption takes place for them to get the paperwork to vital records in order for parents to get child's new birth certificate! Ridiculous. Unacceptable.

  • jrfergerson Jan 9, 2014

    Does the leadership in NC really think people are that dumb

  • free2bme Jan 8, 2014

    This GOP legislature continues to waste our hard earned tax dollars with law suits and incompetent campaign workers. They continue to cut services for the poor and insult our teachers but they seem to think it is okay to waste tax dollars defending their crazy policies and mistakes. They have the nerve to complain about ACA and they can't fix a system so that local medical providers are paid for services rendered in a timely manner. When will the NC GOP Legislature take some responsibility, stop wasting tax payer dollars, and resolve issues. Is it time to vote these people out yet!!!

  • Fuquay Resident Jan 8, 2014

    View quoted thread

    It sounds like we're getting our money's worth then.

  • dollibug Jan 8, 2014

    I guess this mistake was made by someone not *qualified to do their job*. Yep putting people in jobs that they are not qualified will allow all sorts of mistakes to happen.

  • unc70 Jan 8, 2014

    View quoted thread

    This had nothing to do with Obamacare. This was all about changes in NC's implementation of Medicaid.

  • changedmyname Jan 8, 2014

    I can hear my sister and her husband now....OwwWEE, We just hit the lottery and we didn't have to put out any money. We got the wrong cards.

  • emma1870 Jan 8, 2014

    But did not include their SS numbers, WRONG!!! that is there Medicaid ID...

  • HeadsUp Jan 8, 2014

    This kind of costly debacle is more likely when, as now, the department secretary has no experience running an organization like this.

    NCDHHS desperate needs an experienced professional at the helm, not just a smart political contributor.

    Does Governor McCrory have the wisdom to realize that, and act on it?