State of New Jersey Department of Human Services, Division of Medical Assistance and Health Service
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The New Jersey Department of Human Services, specifically the Division of Medical Assistance and Health Services, experienced a data breach that affected some NJ FamilyCare clients. This incident involved the accidental disclosure of names and the last four digits of Social Security numbers. The breach occurred when 1095B tax forms, which confirm health coverage from NJ FamilyCare, were mailed out incorrectly to 842 households on or after April 11. These forms mistakenly included information for individuals not part of the recipient’s household. The Department has since initiated an investigation, found the cause to be a data compiling error, and is taking steps to prevent future occurrences. They have also requested those who received incorrect information to destroy the forms and are reviewing and updating their mailing procedures[1].
Additionally, another security incident was reported involving the potential exposure of personal information and protected health information (PHI) due to a data security incident at the Division of Medical Assistance and Health Services. This incident was discovered on March 17, 2023, when an applicant found their Asset Verification System report, a document generated during the Medicaid application process, in search engine results. The Department responded by removing the document from the search engine, conducting an internal investigation, and patching the system error that allowed the information to be publicly available. It was found that limited Medicaid application documents for certain individuals were also publicly available through search engines. These documents have since been removed from the search engines, and the Department has engaged third-party forensic investigators to assist with the investigation and remediation[7].
Citations:
- https://www.nj.gov/humanservices/njfcdata.html
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- https://www.cyber.nj.gov/threat-analysis-reports/healthcare-and-public-health-sector
- https://www.nj.gov/humanservices/news/pressreleases/2023/approved/20230711.shtml
- https://njfamilycare.dhs.state.nj.us/docs/NJFC-HIPAA.pdf
- https://www.commerciallitigationupdate.com/new-jersey-takes-aggressive-action-against-alleged-hipaa-violations
- https://www.mass.gov/doc/assigned-data-breach-number-30001-state-of-new-jersey-department-of-human-services/download
- https://www.njleg.state.nj.us/bill-search/2022/S3714/bill-text?f=S4000&n=3714_I1
- https://www.nj.gov/oag/newsreleases20/pr20201008b.html
- https://www.njoag.gov/new-jersey-health-care-providers-will-adopt-new-security-measures-and-pay-425000-to-settle-investigation-into-two-data-breaches/
- https://www.njleg.state.nj.us/bill-search/2024/S2052/bill-text?f=S2500&n=2052_I1
- https://www.justice.gov/opa/pr/justice-department-finds-state-new-jersey-violated-us-constitution-deficient-care-two-state
- https://www.hipaajournal.com/hipaa-breaches/
- https://www.njconsumeraffairs.gov/ocp/Pages/cyberfraud.aspx
- https://www.njcourts.gov/system/files/court-opinions/2023/a0886-21.pdf
- https://www.hhs.gov/about/news/2023/06/05/hhs-office-civil-rights-reaches-agreement-health-care-provider-new-jersey-disclosed-phi-response-negative-online-reviews.html
- https://www.njcourts.gov/system/files/court-opinions/2023/a2446-20.pdf