The Utah Department of Health has begun notifying 6,000 Utahns on Medicaid that some of their personal information was misplaced by a third-party contractor.
The contractor, Goold Health Systems, processes pharmacy claims for the state's low-income health program.
Late in the day on Jan. 10, a Goold employee pulled a routine report containing the names, ages and recent prescriptions for 6,000 enrollees. Struggling to upload the report to a secure file server, the employee saved it on an unencrypted thumb drive and left the health department's headquarters with the device.
The employee had planned to upload it later, but misplaced the device while traveling between Salt Lake City, Denver and Washington, D.C., said health department spokesman Tom Hudachko.
Goold confirmed Tuesday the data were missing. No one at the company, based in Maine, could be reached for comment late Wednesday.
No birth dates, Social Security numbers or financial data were exposed.
"We believe the potential risk for identity theft is minimal. Further, we have no reason to believe the data were targeted by anyone to be used for malicious purposes," Utah Medicaid Director Michael Hales said Wednesday in a prepared statement. "Nevertheless, we understand the anxiety this will likely cause and want clients to know we are taking all reasonable precautions to ensure the missing data cannot be used to harm individual clients or defraud the Medicaid program."
The mishap falls on the heels of one of the largest data breaches in state history. Last spring, hackers, exploiting a factory password, broke into a Medicaid server and stole the personal information of 780,000 Utahns. Federal officials are still investigating the breach and may fine the state.
This latest foul-up may also merit penalties since individuals' health information was jeopardized. "But our interpretation of our contract is that any fines would be levied against [Goold]," said Hudachko.
Utah may also seek remedies.
"I have directed [our] attorneys to review our contract ... and I fully intend to seek whatever financial or contractual remedies are available in order to ensure [Goold] is held accountable for this serious mistake," said health department chief David Patton.
"Protecting our clients' personal information is of utmost importance to our department, and it must be the number one priority of our contractors as well."
Patton said he expects Goold to take appropriate disciplinary action and assure the health department that the responsible employee no longer be allowed to work with its data.
Medicaid clients whose information was put at risk will receive written notice within the next few days.
Local and federal law enforcement and aviation authorities are on alert, but the thumb drive hasn't surfaced.
Health officials have asked the Office of the Inspector General to monitor accounts for suspicious activity. The state is also making its health data-security ombudsman available to anyone with questions.
For more information, Medicaid clients can call 1-800-662-9651 and select option 1, then option 2 or e-mail email@example.com.
Medicaid recipients whose information was jeopardized will receive written notice in the next few days.
Clients with concerns or questions can call 1-800-662-9651 and select option 1 and then option 2, or e-mail firstname.lastname@example.org.