The Arkansas Department of Human Services (DHS) has discovered a breach of Medicaid client information and is notifying the affected clients.
On September 16, 2022, DHS became aware that an employee sent emails from her DHS email to her personal Yahoo account with client information attached. The attachments consisted of Excel spreadsheets used to notify the Department of Health of the number of Medicaid clients who had been diagnosed with the flu.
The information included the Medicaid Recipient ID, date of birth, gender, county, zip code, and a flu diagnosis of 925 individuals. The information did not include names, Social Security numbers, or the clients’ full addresses. No financial information was included, and the only health information disclosed was the flu diagnosis. DHS is notifying the affected clients by mail.
Although the information was limited in nature, DHS takes the privacy and security of its clients seriously, and when this incident was discovered, DHS took steps to mitigate the risk and prevent similar incidents from happening in the future.
DHS has policies and procedures to safeguard and protect the privacy and security of its clients’ information, and all employees are trained on these policies and procedures. Every year, all employees are required to complete HIPAA training. DHS HIPAA training includes topics such as using secure and encrypted email and not using employees’ personal email to send and receive health information of DHS clients.
If DHS clients have questions or concerns, they may contact the DHS Privacy Office by email at DHSPrivacyOfficer@dhs.arkansas.gov or by toll-free phone at 1-855-283-0835.