The Department of Social Services is investigating whether the Executive Branch accidentally disclosed protected client information to the legislature last month in a possible confidential data breach, according to a press release.
DSS disclosed client identification numbers in data it provided to Office of Policy and Management on medical coverage and costs. According to the department, the numbers are only meaningful if paired with other confidential information.
Because one of the budget proposals on the table for the legislative session involves the cost of administering medication to DSS clients, the information was forwarded to several lawmakers and members of organizations that administer the drugs.
“We want to stress that no client names or Social Security numbers are part of the information that was shared,” the statement from OPM Secretary Ben Barnes and DSS Commissioner Roderick L. Bremby said.
Until an investigation determines whether an actual breach occurred, the disclosure will be treated as unauthorized under the Health Insurance Portability and Accountability Act of 1996.
“DSS is contacting the legislators and legislative employees who received the information, as well as the organization representatives, to advise them of the sensitivity of the DSS client identification numbers; the need to refrain from further distribution; and how to discard them,” the statement said.
The agencies are also working on determining exactly how many identification numbers they released. The current estimate is as many as 8,500.
“We are working with the Attorney General’s Office in this matter, and will report on the results as soon as they are available. We sincerely apologize to anyone that might have been affected by this error. We are working on methods to safeguard this information, so that something like this does not happen again,” the statement said.