Error at Business Associate Exposes Turlock Irrigation District Employee Data

Turlock Irrigation District in California are notifying members of their employer-sponsored health plan that an error at a business associate has resulted in some of their protected health information (PHI) being exposed.

The business associate, Delta Health Systems (DHS), provides administrative services related to Turlock Irrigation District’s health plan. As such, it requires access to employee protected health information and is required by HIPAA to protect the integrity and confidentiality of this information. 

However, due to an error made by a third-party website developer, some employee information was made accessible through a link on DHS’s website. While the website had been configured to restrict access, the error resulted in the website allowing general access to the document, and this took precedence over the normal security controls. As a result, individuals could access sensitive employee information over the Internet without having their identity authenticated at any point.

An investigation was launched into the incident to determine the extent of the breach. Investigators determined that unauthorized individuals may have been able to access billing statements for employer-sponsored health plan. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number.

As unauthorized individuals may have been able to access employee Social Security numbers, individuals affected by the breach are at a heightened risk of becoming victims of identity theft. As such, Turlock Irrigation District has offered all affected employees one year of credit monitoring and identity theft protection services free of charge.

The issue was identified and corrected on April 18, 2019.

Investigators could not determine when the error was introduced; therefore, it is unknown for how long plan members’ personal information was available online. It was not possible to determine whether any unauthorized individuals accessed the billing statements while they were unprotected. However, as of yet, there have been no reports of the information being used for illegal activities.

DHS has contacted search engines to request the removal of all cached content. DHS is also revising its security policies and procedures to ensure that a similar incident does not happen again. It has built a new, more secure website that lacks the software that was misconfigured.

Following HIPAA’s Breach Notification Rule, DHS and Turlock Irrigation District have notified California Attorney General. However, the breach has not yet been listed on the HHS’ Office for Civil Rights website, so it is currently unclear how many plan members have been affected.