For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”). If I’m a resident of Indiana and a client of FSSA, I may have received a surprise in the mail sometime between April 6th and late May or early June of this year. I might have opened my FSSA mail to see detailed information about another FSSA client that could have included their name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, some financial information such as monthly income and expenses, bank balances and other assets, and certain medical information such as provider name, whether the client receives disability benefits and medical status or condition, and certain information about the client’s household members like name, gender and date of birth.
What did (or should) I do with all this PHI? In an announcement made on July 1, 2013, the FSSA is telling its clients to return the accidentally mailed documents to the local FSSA office, or to shred them. The FSSA provides detailed information as to how the breach occurred (a programming error made by its BA document management systems contractor, RCR Technology Corporation), and what steps can be taken by individuals whose information might have been breached to protect their credit. But the FSSA is notably vague in providing details as to how recipients of other FSSA clients’ information should make sure that the information is not disclosed to others. A client that has held on to the private information of another client since receiving it in April, May, or June might decide to take it to the local FSSA office in person (risking that it could be left on a bus or in a car or simply lost along the way), might send it to the wrong address, or might not think to put “Personal/Confidential” on the envelope or mark it in a way that would alert the person opening it to its private contents. Possibly even worse, the client might simply dump it in the regular or recyclable trash (opened or even unopened in the belief that it is junk mail) where unknown persons can retrieve it.
This is the second reported large PHI security breach suffered by the FSSA as a covered entity (“CE”) at the hands of a BA. The Department of Health and Human Services (“HHS”) list of large PHI security breaches reflects that the FSSA as the CE reported that, on November 9, 2010, its BA, the Southwestern Indiana Regional Council on Aging, had experienced the theft of a laptop computer containing unprotected PHI of 757 individuals.
Of course, programming mistakes and the many other human and technical errors that lead to breaches are and will continue to be, despite the parties’ best intentions, unavoidable. Responding promptly, thoughtfully, and accurately to PHI breaches will be key in minimizing damage. While the FSSA appears to have responded promptly, thoughtfully, and accurately, it is unclear when the FSSA first learned of the breach and its scope from its BA to report the breach to affected individuals and HHS within the maximum period of 60 days from discovery. Finally, including more specific, practical instructions regarding what to do when someone else’s PHI shows up in your mail or lands in your hands could help avoid further breaches and would remind the public to treat PHI with particular care.