“It was just an error, but nonetheless information was distributed that should not have been, to parties that should not have received it,” Boyko said. “Nothing malicious or anything like that happened, but there need to be controls in place and systems in place that this information is not inadvertently nor maliciously distributed. The commissioners’ position was they needed to take some action.”
The breach was reported to the Department of Health and Human Services, and Commissioner Don Dixon said there were no sanctions from that investigation.
“It was just a policy she should have followed and didn’t,” Dixon said. “And even though it didn’t cause any repercussions it still had to be addressed.”
Boyko said the human resources department is working to make sure it has the systems in place to ensure this doesn’t happen again.
The spreadsheet, according to Human Resources Director Laurie Murphy, included names, insurance identification numbers and information about the employees’ participation in the county Wellness Program. She noted the information isn’t sensitive — no passwords or Social Security numbers, for instance — but warned employees in a letter in December to be vigilant.
“Although the risk of harm to participants is low since the information was generally not sensitive in nature, participants whose PHI (protected health information) was improperly distributed should take steps to monitor the use of their health insurance to prevent fraudulent use by third parties,” Murphy wrote.
Smith has declined to comment.