The records were for employees of Medi-Cal, California’s Medicaid welfare program. Names and SSNs, plus potentially users’ provider names, addresses and provider types, were exposed. Providers of In-Home Supportive Services (IHSS) care in 25 counties are affected by the breach, according to KCRA-TV.
"In an exclusive interview with KCRA 3, state officials from the Department of Health Care Services admitted to posting nearly 14,000 Social Security numbers belonging to Medi-Cal providers working for In-Home Supportive Services. ... The confidential information was available on the state's Medi-Cal website for anyone to see for a period of nine days, before the mistake was discovered and the numbers removed," writes KCRA TV's Mike Luery.
The breach was 'inadvertent, and we sincerely regret this has happened,” Norman Williams, deputy director for public affairs at DHCS California, said in a statement. The agency is conducting an internal investigation, he added.
The public viewing occurred between Nov. 8 and 14, but somehow the data was still discoverable via Google search as late as Nov. 20. DHCS said that it worked with Google to make sure the information was no longer indexed.
In the aftermath, DHCS has sent out notification letters this week explaining to the affected employees that their names and Social Security numbers were posted on a “public website for business purposes,” and offering users a free subscription with the Experian credit monitoring service to be prepared for identity theft.
“This is the second time in the last six months in-home care providers in the state have had to deal with the possible threat of identity theft,” noted Threatpost's Christopher Brook. “In May, a breach at the state’s Department of Social Services (DSS) put 750,000 providers at risk after the agency mistakenly mailed an unencrypted microfiche containing providers’ Social Security numbers, ID numbers and names to the wrong office. When it finally arrived, it was damaged and information was missing. That breach forced the state to change how it handles sensitive data, electing to shift to a courier-only delivery service opposed to simply dropping items in the mail.”
Such mistakes can be catastrophic for organizations. The Ponemon Institute’s third annual Benchmark Study on Patient Privacy and Data Security recently found that not only are healthcare breaches up, but they’re way up. Most hospitals (94%) have experienced data breaches over the past two years. But almost half of them (45%) have seen, staggeringly, more than five data breaches at their organization this year. That’s compared to only 29% with more than five data breaches in 2010.