Victims of Medicaid breach may have little recourse if personal info is compromised
Enforcement of health information act would be needed to aid victims
SALT LAKE CITY — There aren't many breaches of secure information large enough to report to the U.S. Department of Health and Human Services, but when they do happen, there is little recourse for individuals who are affected.
The only possible remedy would come from enforcement of a violation of the Health Information Portability and Accountability Act, if one is substantiated in the first place, according to Tenielle Brown, an associate professor at the University of Utah's S.J. Quinney College of Law.
In Utah, action would have to be taken by the state's attorney general or the federal Office for Civil Rights.
"Of the two parts of the HIPAA rule, the privacy rule is trying to get at that unauthorized disclosure of patient medical records," Brown said. "It doesn't appear to be what happened in this case. It appears it was a security breach just by failing to have adequate safeguards in place."
In the case of Utah's recent Medicaid information breach — in which the health information of approximately 780,000 Utahns, including potentially 255,000 Social Security numbers, was compromised — individuals would have to prove financial harm, which might take years to realize, Brown said.
"It's unsatisfying to have to wait that long and then bring it through the often lengthy court process as well," she said, adding that the biggest effect of last week's breach might be loss of public trust in the Medicaid system.
"There aren't alternatives to providing these services," Brown said. Private information is pertinent to obtaining health insurance and medical care. "You have to give up that information."
It is possible that Utah may incur fines for not securing the information properly, up to $1,000 per record that was compromised. But Brown said it is a long shot for any person to go after the state themselves.
"A person would have to show that there was something reckless done by the state," she said. "And it doesn't sound intentional in this case."
Only violations affecting more than 500 people get reported to the federal government and the last reported offense occurred in Indiana, where health information of 20,000 people was presumed stolen. Utah's breach isn't the largest in the country, but ranks up there with some of the most substantial in history.
It is, however, the most extensive case ever to occur within the state.
"I think the protocols need to be strengthened," said University of Utah computing professor Matt Might. "This was more than just a misconfigured server, it was also a lack of things like encryption and proper internal access control."
Hackers traced to an Internet protocol address in Eastern Europe are suspected to have accessed the state's information during a time of particular vulnerability, late in the day on March 30. Medicaid information is housed on any one of 125 of the state's 520 networked servers that is used by the Utah Department of Health.
Might said the supposed infiltrators are likely specialized information thieves and the information they retrieved will or already has been sold on the black market, "which is huge for this sort of thing."
In addition to applying for credit cards, individuals who are familiar with the value of such personal information, he said, could likely use it to help illegal immigrants file for employment, file fraudulent tax returns and purport Medicare and Medicaid fraud, which is already a $50 billion problem in the U.S.
"Once it's out there, it's out there," Might said. "You could put a fraud alert on your credit report, but that's all you can do."
Fortunately, the immediate vulnerabilities of the breached system, and perhaps others, have been closed, but he hopes the state has learned its lesson.
"This is a major wake-up call to everyone," Might said.
- Provo couple killed in RV accident near St....
- Man charged with killing Ogden officer found...
- Police were watching, listening to Josh and...
- 'More questions than answers' as charges...
- Davis County honor student arrested in deaths...
- Susan Powell's father wants help searching...
- Parents of Sandy Hook victim, Emilie Parker,...
- Steven Powell can't go back to his home,...
- Chaffetz not willing to take... 70
- Man charged with killing Ogden officer... 39
- S.L. draws up airport plans 33
- Couples registry gets preliminary nod... 29
- 'We're here to serve all boys,' Utah... 23
- Search for Susan Cox Powell is over,... 21
- Gov. Gary Herbert tells Washington... 17
- $2.6B needed for Utah to reach... 17