Georgia Department of Human Services Division of Aging Services (DAS): Data Breach

Presenter: Harold JohnsonActing General Counsel

Presentation to: Board of Human Services

Date: August 26, 2015

Georgia Department of Human Services

Table of ContentsAttached are the Details of the Georgia Department of Human Services (DHS) June 8, 2015 data breach presented as follows:

Topic/Content Slides•Breach Incident Details 5•Mitigating Factors 6•Mitigation After the Breach 7•Notification by DHS 8•Feedback After Public Notice 9-10•Agency Action to Correct and Prevent Future Breaches 11-12

2

Vision, Mission and Core ValuesVision Vision

Stronger Families for a Stronger Georgia.Stronger Families for a Stronger Georgia.

MissionMissionStrengthen Georgia by providing Individuals and Families access to services that promote self-sufficiency, independence, and protect Georgia's vulnerable children and adults.

Core ValuesCore Values• Provide access to resources that offer support and empower Georgians and

their families. • Deliver services professionally and treat all clients with dignity and respect.

Manage business operations effectively and efficiently by aligning resources across the agency.

• Promote accountability, transparency and quality in all services we deliver and programs we administer.

• Develop our employees at all levels of the agency.

3

Definitions• CCSP = Community Care Services Program –

Home & Community Based Medicaid waiver program under 1915c

• HIPAA = Health Insurance Portability and Accountability Act – federal regulations for the protection of PHI

• PHI = Protected Health Information – an individuals sensitive health records and private information

4

Incident Details• Date of the Incident: June 8, 2015• Date Incident Discovered: June 9, 2015• What Occurred:

– CCSP State Office staff member sent an email to a vendor which included a spreadsheet with PHI (medical diagnosis) for almost 3000 CCSP participants.

• How Discovered:– That staff member sent a message to her Manager after she

sent the email asking if what she had done was alright. Her manager contacted the Director of the Division of Aging services.

5

Mitigating Factors:• This was not the result of a system hack or

malicious attack on database.• The information in the spreadsheet did not contain

data that is commonly associated with identity theft.– It did not contain social security numbers, dates of birth,

Medicaid numbers, or contact information.• Staff did not hide information or try to evade

detection of incident.

6

Mitigation after breach:• On June 9th, DHS Associate General Counsel contacted the three

individuals at the vendor and instructed them to delete the email, delete any copies or versions of the data, to report if that data had been used or shared in any manner, and to respond when those steps were complete.

• The three individuals responded and each attested that the information was deleted and not saved or shared in any manner.

• DAS believes these statements to be credible and that the vendor has taken the required steps to prevent harm to the constituents.

7

Notification by DHSPursuant to federal HIPAA regulations for incident notification:•Letters were mailed to all named individuals•Press release made statewide regarding incident•Information links provided on DHS and DAS websites•Metro Atlanta phone number provided for inquiries in addition to the DHS toll free number•DHS email address provided for inquiries

8

Feedback after public notice

Public Responses to notice:•3 inquiries by email•51 inquiries by phone•50 letters were “returned to DHS” for incorrect address

9

Feedback after public notice

Department Responses to Public•OLAC handled media inquiries•All inquiries have had timely response•All returned letters were given to CCSP to follow up on and re-send with correct address•Notice posted on home page of DHS website

10

Agency Action to Correct and Prevent• Data Breach Task Force

– To create Department standards to minimize the risk of future breaches

– If breach does occur, to have standards for rapid response and minimized exposure

– To create policy for timely compliance with all HIPAA and other reporting requirements

11

Agency Action to Correct and Prevent

• DHS Department-wide HIPAA training – Updated training is required for all staff by Dec. 31, 2015.– First group of training with DAS was completed by

June 30, 2015 with all DAS employees. • Updated policies

– DAS: All “data” sharing must be reviewed and must complete approval process which includes a review by the Division Director or his delegate.

12

Questions

13