Medi-Cal, California’s Medicaid welfare program, came clean to customers this week admitting it mistakenly posted almost 14,000 of its users’ Social Security numbers online last month.
Providers of In-Home Supportive Services (IHSS) care in 25 counties are affected by the breach, according to a report from KCRA-TV, a Sacramento-based television station. Users’ information was posted on a government site for at least nine days, beginning Nov. 8, before being removed on Nov. 14, according to the report. It was on that same day that the Department of Health Care Services (DHCS) was made aware of the mistake. On Nov. 20 however, a provider was still able to find its Social Security number when searching Google with their name and other criteria. From there, the DHCS worked with Google to ensure the information could no longer be searched for.
Those affected by the breach began receiving letters from the DHCS this week claiming their name and Social Security number were posted on a “public website for business purposes.” Along with names and Social Security numbers, users’ provider names, addresses and provider types are also at risk of being exposed in the breach.
As is customary with leaks of this magnitude and data breaches, the DCHS and Medi-Cal are offering users a subscription with Experian, a global credit monitoring service.
This is the second time in the last six months in-home care providers in the state have had to deal with the possible threat of identity theft. In May, a breach at the state’s Department of Social Services (DSS) put 750,000 providers at risk after the agency mistakenly mailed an unencrypted microfiche containing providers’ Social Security numbers, ID numbers and names to the wrong office. When it finally arrived, it was damaged and information was missing. That breach forced the state to change how it handles sensitive data, electing to shift to a courier-only delivery service opposed to simply dropping items in the mail.
Last year another breach at Medi-Cal accidentally leaked 2,400 of the agency’s beneficiaries after an employee mistakenly e-mailed a document to two attorneys and two union representatives. That list, much like the one posted online last month, included Medi-Cal customers’ Social Security numbers, names and other identifiable information.
Per California law, state agencies are required to notify residents of data breaches like these – and if they affect more than 500 residents, the Attorney General. For the DHCS’ notification, head here. (.PDF)