Fraud Unit Breach
The New York state office that investigates MedicaidÂ fraudÂ has suspended one of its own workers after the individual allegedly sent 17,743 records of Medicaid beneficiaries to the employeeâ€™s personal e-mail account. The employee, whose name, gender and job title were not released, worked in the Office of Medicaid Inspector General, based in Albany, N.Y. That office is charged with fighting Medicaid â€śfraud, waste, and abuse,â€ť according to OMIGâ€™s website.
OMIG discovered that the employee sent to a personal e-mail account thousands of records that may have contained names, date of birth, Medicaid client information number and â€śsomeâ€ť Social Security numbers of Medicaid recipients, says an OMIG spokeswoman.
The employee is on administrative leave while an independent investigation is being conducted by the New York State Inspector Generalâ€™s Office, the spokeswoman says. â€śHopefully, that IG report will be coming out soon,â€ť she says, declining to discuss details of the case while the investigation is ongoing. OMIG is cooperating with the investigation, she says.
In anÂ OMIG statementÂ the organization says: â€śThe employee is suspected of having made a personal decision, without agency involvement or authorization from OMIG leadership or his or her personal supervisorsâ€ť to send the records to the personal e-mail address.
The OMIG spokeswoman declined to discuss possible motives for the worker releasing the information or whether any fraud involving the data is suspected.
In any case, OMIG has sent letters to eachÂ breachÂ victim, recommending individuals place an alert on their credit reports by contacting the three major credit reporting agencies, Equifax, Experian, and TransUnion. The agencies will provide free credit monitoring services for one year, says OMIG.
In addition, OMIG has set up a toll-free hotline to assist individuals with their questions regarding the breach. That includes language translation services for non-English speaking individuals.
Since this incident occurred, OMIG has devised tighter controls in its information technology department to limit access to data, ensuring that only those investigators and auditors who need data for specific investigatory or auditing purposes can retrieve such information, says the statement. â€śUnder this enhanced approach, the employee would not have had access to the information included in this breach.â€ť
In addition to using role-based controls to prevent improper data access by insiders, privacy and security experts also suggest the use ofÂ monitoring tools to detect suspicious activity, as well as data loss preventionÂ and filtering technology to help stop unauthorized information from being sent.