Raleigh, N.C. — A privacy breach involving the personal information of thousands of Medicaid recipients could result in fines and lawsuits against the state Department of Health and Human Services, an attorney said Tuesday.
DHHS was trying to issue new cards to 70,253 children who were switched from the N.C. Health Choice program to Medicaid under new eligibility rules, but nearly 70% of the cards – 48,752 – went to the wrong Medicaid recipients last week. The cards show a child's name, Medicaid ID number, date of birth and primary care physician, but don't include any Social Security numbers.
Acting Medicaid Director Sandra Terrell blamed a computer programming error for the mix-up, saying that a program to extract information from a DHHS database used the wrong names and addresses of parents or guardians.
DHHS acknowledged Monday that the error was a breach of federal health care privacy regulations under the Health Insurance Portability and Accountability Act, or HIPAA.
A message obtained by WRAL News shows DHHS warned county social services agencies about the mis-mailed cards a week ago, but the agency didn't tell the public about it for another three days – after some media had reported it.
"There's a lot of problems over there," said attorney Knicole Emanuel, who specializes in Medicaid law and information privacy.
Federal law includes steep penalties for violating patient privacy. Each violation carries a fine of up to $50,000.
"There's a $1.5 million cap on penalties annually, but the thing is that, if (the U.S. Department of Health and Human Services) decides North Carolina violated more than one statute, we could get that penalty of $1.5 million – the cap – more than one time," Emanuel said.
The delay in notifying people of the error could play a role in that decision, she said. Under HIPAA, people affected by a privacy breach are supposed to be notified immediately.
"The time frame between them knowing and ... it becoming public can be a factor in the penalties," Emanuel said.
In 2012, Alaska's state health agency was fined $1.7 million by the U.S. Dept. of Health and Human Services for security flaws throughout its computer systems. Emanuel said it's not clear whether North Carolina would face similar penalties.
DHHS spokeswoman Julie Henry said the agency has followed the law.
Officials first had to confirm there was a privacy breach under HIPAA, Henry said, adding that the confirmation came on Jan. 6. The New Year's Day holiday caused a delay in gathering information, Henry added, but DHHS alerted the public as soon as the full scope of the problem was clear.
Emanuel said affected families also could file suit over the mis-mailed Medicaid cards.
"The HIPAA act provides a private right to sue to citizens," she said.
Attorney General Roy Cooper advised families who have been notified someone else received their child's Medicaid card to be on the lookout for potential fraud or identity theft.
Parents should contact Equifax, Experian and TransUnion to see if their child has a credit report. Most children under 18 won't have one, but if one exists, he said, parents should request a fraud alert and place a freeze on it to block anyone from taking out a loan or applying for a credit card under the name.
Cooper said people also should monitor statements of medical services to see if anyone has improperly used a child's Medicaid ID.
DHHS officials are investigating how the error occurred, and they are mailing new Medicaid cards to the affected families. People who received a card in error can either shred it or turn it in to a local Department of Social Services office.