The Colorado Department of Health Care Policy and Financing inadvertently sent letters intended for individuals seeking to enroll in medical assistance programs to the wrong addresses, resulting in a breach of protected health information.

A similar inadvertent mailing of letters to beneficiaries of other non-health government programs affected additional individuals.

The medical assistance letters were mailed between May 25 and July 5, and the problem was discovered on July 1 when a resident receiving a wrong letter notified county officials. Deloitte was handling the mailings under a contract with the state Office of Information Technology, which corrected the error on July 5. The wrongly addressed letters were intended for individuals from 1,622 households; the total number of affected individuals is not yet clear, according to a Health Policy department spokesperson.

Information that may have been in the letters includes name, address, state identification number, Medicaid case number, names of individuals in the household, employer name, income from the employer, amount of an advanced premium tax credit, and whether individuals were approved or denied for several medical assistance programs including Medicaid and the Child Health Plan, according to a department statement. A date of birth was disclosed for less than 50 individuals.

Also See: Blues Plans to Offer ID Protection as Part of Coverage

In May, Deloitte made changes to the benefits management system, which apparently created the mailing problem, the departmental spokesperson says. Notification letters started going out on August 18 and the department is offering one year of credit monitoring services from Experian.

The breach also affected beneficiaries of food assistance, financial and employment services, in total affecting about 3,000 individuals between both breaches. This separate breach of personally identifiable information included letters to 1,069 incorrect households that included Social Security numbers. And another 353 incorrect households got letters with other personally identifiable information such as name, address and state identification number. Individuals with exposed Social Security numbers also are being offered protective services from Experian.

The Office of Information Technology has instituted two quality checks in the mailing process to prevent a reoccurrence. “The first verifies that the names printed on letters match the individuals linked to a case; the second verifies that the address matches the intended address for the communication,” according to a statement from the IT office. “If either check fails, the letter is not mailed.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access