The University of Florida and the Texas Health and Human Services Commission (HHSC) are partners for the Texas Wellness Incentives and Navigation (WIN) Project for Medicaid patients.
In a newly disclosed breach, the University of Florida, acting as a partner of the HHSC, sent letters to Houston area physicians requesting health records for WIN project enrollees. Due to a reported mail merge error, however, some University inquiries were mistakenly sent to the wrong physician. UF reports that the only information shared with the incorrect physician was the patient’s name, Medicaid STAR+PLUS identification number, and date of birth.
According to the notification letter sent to affected patients last week, the error occurred in November 2013 and was first reported to a University Institutional Review Board on March 3, 2014. The Texas HHSC was also notified about the event on March 22, 2014.
Soon after, the Texas Office of the Inspector General investigated a possible breach complaint and on August 24, 2014 the Texas HHSC Privacy Officer determined that patient notification was required.
There is no explanation as to when UF first discovered the mistake, why it took so long for them to notify their Institutional Review Board and Texas HHSC, or why it took the Texas OIG so long so determine that patient notification was required. Nor does UF mention whether they ever asked the physicians receiving the incorrect requests to securely shred the inquiries nor why they had not come to their own determination that notification was required under HIPAA.
Those affected were not offered any credit monitoring services, and because the recipients of the mis-mailings were HIPAA covered entities, the risk to patients should be relatively low. Although we know that in other cases, there are doctors who misuse Medicaid numbers for fraud schemes, credit monitoring would not really help here.