Some Idaho Medicaid patients were impacted by a data breach. Here’s what you can do

Noble Brigham
·2 min read

An “unauthorized person” breached a Medicaid provider’s payment account in April, putting the personal information of 2,501 people at risk, according to Idaho Department of Health and Welfare.

Idaho’s health agency and its claims processor, Gainwell Technologies, notified the FBI of the breach, according to a Monday news release from Health and Welfare. Gainwell declined to disclose to the Idaho Statesman the provider that was affected, the kind of provider or the safeguards they plan to put in place in the future. Those affected can get free credit monitoring and identity theft protection for a year, according to the news release.

Someone accessed the account on April 18 by stealing the provider’s credentials and entering the Gainwell portal, Gainwell spokesperson Elizabeth Bonet and the release said. That means they may have been able to see the names, identification numbers, billing codes and treatment information for .7% of Idaho residents enrolled in Medicaid.

Patients’ Social Security numbers were not included in the information that might have been exposed, Bonet said in a phone interview.

As for the other data, the state release said “at this time, there is no evidence that any of the potentially exposed information has been used.”

Bonet said Gainwell terminated the unauthorized access as soon as they discovered the breach on May 12. She declined to say how company officials discovered the breach, which provider it affected or the type of provider.

But Greg Stahl, a spokesperson for Health and Welfare, said in an email that they found out because a bank raised a red flag after dispersing payment.

Gainwell and the Department of Health and Welfare began an investigation and reported the incident to the FBI, the release said.

On June 9, those impacted received a notification letter from Gainwell and the state, signed by Gainwell’s privacy officer, Bonet said in a follow-up email. They can get credit monitoring and identity safeguard services for free from IDX, a “breach response” company, according to its website.

Bonet said in an email people can also review their credit reports and place fraud alerts with credit bureaus. Patients were not notified sooner because of the time it took to identify the people affected and set up the identity protection, she said.

Gainwell and Idaho are working to set up additional security mechanisms for the future. But citing “security reasons,” Bonet said she couldn’t discuss those initiatives.

Stahl said that moving forward, the process for enrolling and changing banking information will include a validation of that information by the provider.

If you think your data may have been included, you can call IDX at 800-939-4170.