The Arkansas Department of Human Services on Wednesday reported a security breach after an employee mishandled Medicaid client information.
The department said it learned on Sept. 16 that an employee had sent messages from her official email account to her personal Yahoo account with client information attached. The attachments included Excel spreadsheets used to notify the Department of Health of the number of Medicaid clients who had been diagnosed with the flu.
The information included the Medicaid ID, date of birth, gender, county, zip code, and a flu diagnoses of 925 people. It did not include names, Social Security numbers, or the clients’ full addresses. No financial information was included.
The department said it's notifying affected clients by mail and has taken steps to "mitigate the risk and prevent similar incidents from happening in the future."
Employees are required to complete annual HIPAA training on topics such as using secure and encrypted email and not using personal email to send and receive health information.