Audit Reveals Breach of 90,000 Medicaid Patients’ Data in Washington

A state employee under investigation for visiting adult content sites on his work computer was also found sharing private information with his sister who worked at the state Health Care Authority.

by Melissa Santos, The News Tribune (Tacoma, Wash.) / February 19, 2016

(TNS) -- A recent breach of 91,000 Medicaid patients' information was discovered during a separate investigation into a state employee who was viewing Internet pornography at work, new audit reports reveal.

The state Auditor’s Office was investigating improper computer use by an employee at the state Department of Social and Health Services when it found the employee’s computer contained 57 files from the state Health Care Authority, according to audit reports released Thursday.

When questioned, the DSHS employee told investigators that his sister, who worked at the HCA, had sent him the documents so he could help her work on the spreadsheets.

The sharing of confidential information between the two Washington state employees violated federal privacy rules, according to the HCA. The documents contained Medicaid clients’ Social Security numbers, names, dates of birth and private health information.

Both employees have since been fired.

State auditors began investigating the DSHS employee for misusing his state computer in 2014, after receiving a whistleblower report about the alleged activity.

During the course of the auditors’ 11-month investigation, they found the employee had visited more than 150 sites for sexually explicit films, and saved 55 personal favorites in his Internet browser linking to adult content.

The employee had also spent up to seven hours some workdays conducting personal activities on his state-owned computer, according to the audit. During one work week in May 2015, the employee spent 27 hours browsing web sites unrelated to work, auditors found.

When confronted about his computer use, the employee told investigators “he has approximately 15 minutes of work to do each day.”

The employee also “said his job is much like that of a firefighter — most of the time he has nothing to do until there is an emergent situation,” according to the auditors’ report.

The employee’s supervisor refuted that account, saying there was “plenty of work” to be done.

Jan Jutte, deputy state auditor, said Thursday that it’s “highly unusual” for one whistleblower investigation to uncover misconduct at another agency.

She said her employees immediately opened another investigation into misconduct by the HCA employee as soon as they suspected confidential data had been shared.

As for the DSHS employee’s computer use, it quickly became clear that his use of his work computer violated agency rules, which allow only infrequent or occasional personal use of state resources, Jutte said.

“I think when you can see that an individual has spent seven hours doing personal stuff in any one day — and we saw more than one instance where that was the case — it’s hard to say that’s anything but egregious,” Jutte said.

A spokeswoman for the Health Care Authority, Amy Blondin, said the agency is grateful the whistleblower investigation uncovered the data breach.

“Protecting Apple Health (Medicaid) clients’ information is a top priority for us,” Blondin wrote in an email Thursday. “We took swift action to terminate employment of the individual involved, and to notify impacted clients and offer free credit monitoring.”

©2016 The News Tribune (Tacoma, Wash.) Distributed by Tribune Content Agency, LLC.