Brother-Sister Email Exchanges Breached Washington Medicaid Patient Data

Two Washington state employees — a woman who worked for the state Health Care Authority and her brother, who worked for the Department of Social and Health Services — apparently emailed each other messages containing private health information for years. 

The woman was a medical-assistance specialist and her brother was an Internet technician.

The pair told investigators that the sister asked her brother for technical help with spreadsheets that contained Apple Health Medicaid program records, saying that the information was not used for improper purposes or forwarded to unauthorized users.

A whistleblower within department alerted officials to the issue.

The transfer of information violated patients’ privacy rights and indicated a pattern of behavior, said Steve Dotson, HCA risk manager. 

“We have no indication that the client files went beyond the two individuals involved,” he said. Because officials could not confirm that the data remained inside state systems, the incident is being treated as a breach. Letters were sent on Feb. 9 to affected Medicaid members.

The case has been referred to federal officials for further investigation, including possible criminal review.

Both employees have been fired. 

The information swapped included client Social Security numbers, dates of birth, Apple Health identification numbers and private health information.