The New York state office that investigates Medicaidfraudhas suspended one of its own workers after the individual allegedly sent 17,743 records of Medicaid beneficiaries to the employee's personal e-mail account. The employee, whose name, gender, and job title were not released, worked in the Office of Medicaid Inspector General, based in Albany, N.Y. That office is charged with fighting Medicaid "fraud, waste, and abuse," according to OMIG's website.
OMIG discovered that the employee sent to a personal e-mail account thousands of records that may have contained names, date of birth, Medicaid client information number, and "some" Social Security numbers of Medicaid recipients, says an OMIG spokeswoman.
The employee is on administrative leave while an independent investigation is being conducted by the New York State Inspector General's Office, the spokeswoman says. "Hopefully, that IG report will be coming out soon," she says, declining to discuss details of the case while the investigation is ongoing. OMIG is cooperating with the investigation, she says.
In an OMIG statement, the organization says: "The employee is suspected of having made a personal decision, without agency involvement or authorization from OMIG leadership or his or her personal supervisors" to send the records to the personal e-mail address.
The OMIG spokeswoman declined to discuss possible motives for the worker releasing the information or whether any fraud involving the data is suspected.
In any case, OMIG has sent letters to each breach victim, recommending individuals place an alert on their credit reports by contacting the three major credit reporting agencies, Equifax, Experian, and TransUnion. The agencies will provide free credit monitoring services for one year, says OMIG.
In addition, OMIG has set up a toll-free hotline to assist individuals with their questions regarding the breach. That includes language translation services for non-English speaking individuals.
Since this incident occurred, OMIG has devised tighter controls in its information technology department to limit access to data, ensuring that only those investigators and auditors who need data for specific investigatory or auditing purposes can retrieve such information, says the statement. "Under this enhanced approach, the employee would not have had access to the information included in this breach."
In addition to using role-based controls to prevent improper data access by insiders, privacy and security experts also suggest the use of monitoring tools to detect suspicious activity, as well as data loss prevention and filtering technology to help stop unauthorized information from being sent.