Two separate data breaches disclosed in December 2018 exposed the protected health information of 31,876 plan members of Managed Health Services, which runs Indiana’s Hoosier Healthwise and Hoosier Care Connect Medicaid programs.
The first incident of Indiana’s Medicaid breach involved a phishing attack at LCP Transportation, a company that Managed Health Services contacts with. LCP employees received scam emails in July 2018 that allowed the attacker to remotely access their email accounts in September.
An investigation into the incident determined no Protected Health Information (PHI) had been misused, but several emails in the compromised accounts stored plan members’ personal information including names, addresses, dates of birth, dates of service, insurance identification numbers and descriptions of medical conditions. Roughly 31,300 individuals were affected in the incident.
The second incident of Indiana’s Medicaid breach involved a mailing error in which plan members were sent a notification letter about an upcoming pharmacy change. The letters, however, were sent to the wrong recipients and exposed 576 plan members’ names, insurance identification numbers
Complimentary Credit Monitoring Services
Out of an abundance of caution, Managed Health Services has offered individuals affected in both incidents 12 months of free credit monitoring services. The organization has also enhanced its email security and re-trained staff on mailing processes as well as cybersecurity risks.
Source: Beckers Hospital Review