Programming error leads to massive health breach

The Indiana Family and Social Services Administration (FSSA) is notifying its clients that some of their personal information may have been accidentally disclosed to other clients, according to an announcement. In compliance with federal and state privacy law, FSSA has sent written notices to 187,533 potentially impacted clients.

According to the announcement, the accidental disclosures may have occurred when RCR Technology Corporation (RCR), a contractor for FSSA, made a computer programming error to a document management system the company supports on behalf of FSSA. The programming error was made on April 6, and affected correspondence sent between April 6 and May 21.

FSSA announced that RCR is in the process of ensuring that none of the affected clients' electronic case files contain information about other clients as a result of this error. The company also is taking steps to improve their computer programming and testing processes to prevent similar errors from occurring in the future.  

"This error caused an undetermined number of documents being sent to clients to be duplicated and also inserted with documents sent to other clients," states the annoncement. "This means some of the clients may have received documents belonging to other clients along with their own documents."

The type of information that may have been disclosed includes name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, some financial information such as monthly income and expenses, bank balances and other assets, and certain medical information such as provider name, whether the client receives disability benefits and medical status or condition, and certain information about the client's household members like name, gender and date of birth. 

Last year, a South Carolina Department of Health and Human Services employee sent personal data for more than 228,000 Medicaid recipients to his personal, unsecured email account. Information stolen included names, phone numbers, addresses and birth dates, as well as Medicare ID numbers for more than 22,000 people. In this case, Social Security numbers double as the latter.

To learn more:
- read the announcement
- read Courier-Journal article