An audit (pdf) by HHS' Office of Inspector General found that CMS failed to meet federal notification requirements and did not offer adequate help to affected individuals when its Medicare patient database was breached.
According to the audit, CMS had 14 breaches of protected health information between Sept. 23, 2009 and Dec. 31, 2011, affecting 13,775 Medicare beneficiaries. While the beneficiaries were notified, CMS failed to meet several notification requirements detailed in the American Recovery and Reinvestment Act. In response to these medical identity theft risks, CMS developed a compromised number database for contractors; however, the usefulness of the database could have be improved, according to the audit. In addition, contractors did not consistently develop edits to stop payments on compromised numbers.
In order to remedy these issues, OIG gave five recommendations to CMS:
1. Ensure that breach notifications meet Recovery Act requirements.
2. Improve the compromised number database.
3. Provide guidance to contractors about using database information and implementing edits.
4. Develop a method for ensuring that beneficiaries who are victims of medical identity theft retain access to needed services.
5. Develop a method for reissuing identification numbers to beneficiaries affected by medical identity theft.
Anthem Blue Cross to Pay $150k Over Data Breach Allegations
2 University of Miami Hospital Employees May Have Stolen Patient Information
According to the audit, CMS had 14 breaches of protected health information between Sept. 23, 2009 and Dec. 31, 2011, affecting 13,775 Medicare beneficiaries. While the beneficiaries were notified, CMS failed to meet several notification requirements detailed in the American Recovery and Reinvestment Act. In response to these medical identity theft risks, CMS developed a compromised number database for contractors; however, the usefulness of the database could have be improved, according to the audit. In addition, contractors did not consistently develop edits to stop payments on compromised numbers.
In order to remedy these issues, OIG gave five recommendations to CMS:
1. Ensure that breach notifications meet Recovery Act requirements.
2. Improve the compromised number database.
3. Provide guidance to contractors about using database information and implementing edits.
4. Develop a method for ensuring that beneficiaries who are victims of medical identity theft retain access to needed services.
5. Develop a method for reissuing identification numbers to beneficiaries affected by medical identity theft.
More Articles on Data Breaches:
Kentucky Health Agency Notifies 2,500 of Potential HIPAA BreachAnthem Blue Cross to Pay $150k Over Data Breach Allegations
2 University of Miami Hospital Employees May Have Stolen Patient Information