An improperly secured server maintained by the Utah Department of Technology Services (DTS) was hacked into on March 30, compromising personal health information (PHI) of thousands of people. The victims are likely to be Medicaid or Children’s Health Insurance Program (CHIP) recipients who have visited a health care provider in the past four months, and individuals whose provider recently verified his or her Medicaid status.
“It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen,” reported the Utah Department of Health (UDOH) in an April 9 press release. “Less-sensitive” PHI may include names, dates of birth, and addresses.
The health department originally thought 24,000 individual claims had been compromised, according to an April 4 press release. Further investigation determined that 24,000 files had been removed, according to an April 6 press release, and each file can potentially contain claims information on hundreds of people. This increased the number of possible ID theft victims considerably.
According to the press release, the state will be sending letters directly to victims as they are identified. The DTS and UDOH warn that no one will be calling or emailing identified victims and asking for personal information.
Medicaid clients can call 1-855-238-3339 to find out if their information has been compromised. Additional information about the data breach can also be found on the UDOH website.
April 12th, 2012
In our digital age, identity theft is a growing concern for everyone—physicians included. Identity thieves steal providers’ personal information and use it to receive illegitimate Medicare payments, leaving the victimized providers with overpayment demands, tax liabilities, and credit degradation. Often, a provider does not know that his identity has been compromised until he receives overpayment demand letters from Medicare administrative contractors (MACs).
To help legitimate providers who have suffered unwarranted financial liability as a result of having their identities stolen by thieves who use those identities to fraudulently bill Medicare, the Centers for Medicare & Medicaid Services (CMS) has created the provider victim validation/remediation initiative.
Physicians who believe they had their identity stolen will contact program integrity contractors (comprised of program safeguard contractors (PSCs) and zone program integrity contractors (ZPICs)), who will “conduct extensive investigations and report their findings to CMS,” according to an October letter describing the program. CMS will make the final decision whether to relieve providers of liability, and will inform the affected provider of its decision, in writing.
Provider victim validation/remediation initiative contacts are listed on pages 2-5 of the CMS letter, and are grouped by state, Medicare service (Part A, Part B, durable medical equipment (DME), etc.), and contractor.
Physicians who believe they are the victims of Medicare identity theft, but who have not yet suffered any financial liability, should contact their jurisdictional MAC or contact the Office of Inspector General (OIG) hotline at 1-800-HHS-TIPS.
December 15th, 2011