From: Juneau Empire

Department denies wrongdoing but pays $1.7 million ‘settlement’

By PAT FORGEY

Alaskans worried about identity theft had a bad couple of days in 2009, but they didn’t know about it at the time.

First, on Friday, Oct. 9, an employee of a national accounting firm working for the Division of Retirement and Benefits lost a laptop from a vehicle. It was thought to contain personal identity information for almost every current or retired state or local government employee in Alaska.

Then, the following Monday, a member of the Department of Health and Human Services’ helpdesk team left their vehicle at a gas station on Anchorage’s Tudor Road to pay for gas.

While he was gone, a 120-megabyte portable hard drive was stolen. The drive was used by technicians to move data between computers, and may have contained Medicaid or other information for a variety of Alaskans who use the department’s programs.

Both incidents would be costly to those who lost the data, but there’s no evidence any identities were stolen, state officials said.

In the Oct. 9 incident, accounting firm PricewaterhouseCoopers did not let Alaska know about the incident until January, and then state officials kept the loss quiet while they negotiated a settlement with the company in which it paid for two years of credit protection for concerned employees and retirees. The state also needed time to set up a phone bank, they said.

Union officials said at the time that the state should have received a better deal, including a longer period of monitoring, but Department of Administration then-Commissioner Annette Kreitzer said it was important to get the credit protection in place quickly, and not have a protracted legal battle.

It appears that many were concerned. A phone bank set up by the Division of Retirement and Benefits fielded 12,000 calls and 25,000 of 77,000 current and former public employees availed themselves of the credit protection services.

When the Oct. 12 incident happened, the Department of Health and Social Services notified the public on Oct. 30, the department said.

The loss of the disk drive resulted in much less media attention than did the laptop loss when it was later reported, and department computer experts say they’re now convinced there was no personal information on the lost device.

“While it was unclear whether any individual Alaskans’ personal information was on the stolen device, the department takes the security of such information very seriously and wanted to ensure that Alaskans were warned of the possibility, said Thor Ryan, chief security officer for the Department.

What the loss of the drive did do, however, was focus attention on the department’s security policies and result in an investigation by the federal agency’s Office of Civil Rights.

“Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI,” or electronic personal health information of Medicaid beneficiaries, the feds said

That’s required under the Health Information Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.

The Alaska department didn’t admit violations, but agreed to pay the U.S. Department of Health and Social Service’s Office of Civil, which enforces the acts, $1.7 million “settlement agreement.”

That was the second largest such payment ever imposed, and reportedly the largest ever against a state Medicaid program.

Commissioner Bill Streur of the Alaska department disputed the federal allegations, calling them “misleading.”

Streur’s statement, posted as a press release to the department’s website but not sent to the press, said that the settlement was not an admission of a violation or liability.

The state settled to avoid costly and protracted litigation that might even be more expensive, he said.

He also disputed some of the federal agency’s conclusions, without disputing the facts behind them.

“OCR stated that DHSS did not have a current risk assessment,” he said. “We did have a risk assessment, but it was several years old. It has not been clear in our dealings with OCR what the definition of “current” is by OCR, or that there even is a definition.”

After both of the October, 2009 incidents, officials with both departments say they’ve improved their procedures.

Kreitzer told the legislators that her department was in the process of moving away from using Social Security numbers as identifiers and switching to a unique state number instead. Had that been completed by 2009, it would have severely limited the risk of identity theft, she said.

And the Department of Health and Social Services said a the time of the disk drive loss that it was moving to a new security system that would encrypt portable devices, and sped up its implementation.

The settlement agreement Streur signed pledges the state will comply with federal data protection requirements in the future.