RALEIGH, N.C. - The North Carolina Department of Health and Human Services notified the U.S. Health and Human Services Office for Civil Rights of a Sept. 14 incident in which protected health information was sent in an unencrypted email. The notification is required by the Health Information Technology for Economic and Clinical Health, or HITECH Act.
An employee sent an unencrypted email to the Orange County and Ashe County health directors on that date. The email contained a spreadsheet with 524 individuals' first name, last name, Medicaid recipient ID number, Social Security number, date of birth, address, gender, ethnicity, race, insurance information and provider name.
DHHS recently installed additional software for all its employees that will intercept emails such as this and block these types of emails from being sent unencrypted. The software will alert the sender to encrypt an email if it contains social security numbers - in the body of email text, or in attachments - and won't allow that email to be sent until it is encrypted.
"We take very seriously our responsibility to secure the personal information entrusted to us," said Dave Richard, Deputy Secretary of Medical Assistance. "This technology adds a safety net and a layer of protection that goes beyond the human element. This is an important, necessary addition to our workflow."
The DHHS Privacy and Security Office was notified of the incident. While DHHS cannot determine for certain that the email was not intercepted during transmission over the open Internet, DHHS has no reason to believe the information was compromised in any way.
DHHS has mailed letters to all affected individuals. Individuals notified about the incident can take steps to protect themselves by putting a fraud alert on their credit files and by keeping an eye on their bank statements and credit card bills for unusual or unauthorized activity. If you may have been affected by this incident and have questions, please call 1-800-662-7030.