130 likes | 148 Views
Georgia Department of Human Services Division of Aging Services (DAS): Data Breach. Presenter: Harold Johnson Acting General Counsel Presentation to: Board of Human Services Date: August 26, 2015. Georgia Department of Human Services. Table of Contents.
E N D
Georgia Department of Human Services Division of Aging Services (DAS): Data Breach Presenter: Harold Johnson Acting General Counsel Presentation to: Board of Human Services Date: August 26, 2015 Georgia Department of Human Services
Table of Contents Attached are the Details of the Georgia Department of Human Services (DHS) June 8, 2015 data breach presented as follows: Topic/ContentSlides • Breach Incident Details 5 • Mitigating Factors 6 • Mitigation After the Breach 7 • Notification by DHS 8 • Feedback After Public Notice 9-10 • Agency Action to Correct and Prevent Future Breaches 11-12
Vision, Mission and Core Values Vision Stronger Families for a Stronger Georgia. Mission Strengthen Georgia by providing Individuals and Families access to services that promote self-sufficiency, independence, and protect Georgia's vulnerable children and adults. Core Values • Provide access to resources that offer support and empower Georgians and their families. • Deliver services professionally and treat all clients with dignity and respect. Manage business operations effectively and efficiently by aligning resources across the agency. • Promote accountability, transparency and quality in all services we deliver and programs we administer. • Develop our employees at all levels of the agency.
Definitions • CCSP = Community Care Services Program – Home & Community Based Medicaid waiver program under 1915c • HIPAA = Health Insurance Portability and Accountability Act – federal regulations for the protection of PHI • PHI = Protected Health Information – an individuals sensitive health records and private information
Incident Details • Date of the Incident: June 8, 2015 • Date Incident Discovered: June 9, 2015 • What Occurred: • CCSP State Office staff member sent an email to a vendor which included a spreadsheet with PHI (medical diagnosis) for almost 3000 CCSP participants. • How Discovered: • That staff member sent a message to her Manager after she sent the email asking if what she had done was alright. Her manager contacted the Director of the Division of Aging services.
Mitigating Factors: • This was not the result of a system hack or malicious attack on database. • The information in the spreadsheet did not contain data that is commonly associated with identity theft. • It did not contain social security numbers, dates of birth, Medicaid numbers, or contact information. • Staff did not hide information or try to evade detection of incident.
Mitigation after breach: • On June 9th, DHS Associate General Counsel contacted the three individuals at the vendor and instructed them to delete the email, delete any copies or versions of the data, to report if that data had been used or shared in any manner, and to respond when those steps were complete. • The three individuals responded and each attested that the information was deleted and not saved or shared in any manner. • DAS believes these statements to be credible and that the vendor has taken the required steps to prevent harm to the constituents.
Notification by DHS Pursuant to federal HIPAA regulations for incident notification: • Letters were mailed to all named individuals • Press release made statewide regarding incident • Information links provided on DHS and DAS websites • Metro Atlanta phone number provided for inquiries in addition to the DHS toll free number • DHS email address provided for inquiries
Feedback after public notice Public Responses to notice: • 3 inquiries by email • 51 inquiries by phone • 50 letters were “returned to DHS” for incorrect address
Feedback after public notice Department Responses to Public • OLAC handled media inquiries • All inquiries have had timely response • All returned letters were given to CCSP to follow up on and re-send with correct address • Notice posted on home page of DHS website
Agency Action to Correct and Prevent • Data Breach Task Force • To create Department standards to minimize the risk of future breaches • If breach does occur, to have standards for rapid response and minimized exposure • To create policy for timely compliance with all HIPAA and other reporting requirements
Agency Action to Correct and Prevent • DHS Department-wide HIPAA training • Updated training is required for all staff by Dec. 31, 2015. • First group of training with DAS was completed by June 30, 2015 with all DAS employees. • Updated policies • DAS: All “data” sharing must be reviewed and must complete approval process which includes a review by the Division Director or his delegate.