A Butler County employee inadvertently sent out an email with wellness information regarding the county’s health insurance, and that might have violated HIPAA laws.
The county’s wellness coordinator Shawna Smith sent out an email in September that included a spreadsheet that had hidden columns that included some employee information that may have violated federal HIPAA laws. A notice went out Tuesday to 1,350 employees impacted by the possible breach.
The spreadsheet, according to Human Resources Director Laurie Murphy’s letter, included names, insurance identification numbers and information about the employee’s participation in the county Wellness Program. She noted the information isn’t sensitive — no passwords, social security numbers — but warned them to be vigilant.
“Although the risk of harm to participants is low since the information was generally not sensitive in nature, participants whose PHI (protected health information) was improperly distributed should take steps to monitor the use of their health insurance to prevent fraudulent use by third parties,” Murphy wrote.
The warning was a bit of “overkill” Murphy told the Journal-News, but recommended by the attorney they hired to look into the matter, that is now under federal investigation by the Department of Health and Human Services.
“If there was some nefarious individual out there connecting the name to the health insurance identification number, it’s highly, highly unlikely, but the attorney just wanted me to put that in there,” Murphy said.
County Administrator Charlie Young told the Journal-News they have exercised the utmost caution in this situation because it involves federal HIPAA laws. He said he doesn’t believe there will be ramifications from the federal government.
“There’s always a possibility,” Young said. “Our attorney that we retained for this purpose doesn’t believe that there will be or should be. Our attorney has advised us we’ve done all the things we should do in responding once we discovered it. Would not expect to see any penalties or repercussions.”
Young said there was no “malicious intent,” but they will be discussing whether any form of discipline is warranted.
Commissioner T.C. Rogers said it was an unfortunate situation, but he is not worried employees are at risk.
“It wasn’t malicious,” he said. “And we’re not even in the same jeopardy as these large banks where they breach their security information.”
The county is in the throes of negotiating a new health insurance contract with United Healthcare — a process that caused some consternation among the three commissioners — and Commissioner Cindy Carpenter says that new plan will prohibit breaches in the future.
Under the current system, the county kept track of the wellness program internally via the spreadsheet. Under the new plan — that has yet to be ratified — she said the employees have personalized accounts that they control.
“I’m very, very confident that our new health insurance company will not allow anything like that to happen,” she said. “No internal lists will ever be kept again.”