TOPEKA — Personal medical identification and Social Security numbers, dates of birth and other private information of more than 11,000 Kansans was mistakenly released to contractors by a state government agency, officials said Thursday.
The Kansas Department for Aging and Disability Services said the Feb. 15 incident involved transfer of personal or protected health information to state contractors, but insisted no evidence show data was shared outside the agency or contractors. Two individuals at KDADS were dismissed, which apparently wasn't reported to upper-level KDADS administrators until Feb. 23.
"I want to make sure this doesn't happen again," said Gov. Jeff Colyer. "My understanding, at this point, is that the breach was very limited in scope. It was all kept contained."
KDADS, which is led by Secretary Tim Keck, was still “actively investigating this matter to determine how" private information on the 11,000 Medicaid or potential Medicaid recipients was disclosed to contractors working in two-dozen offices across the state.
Rep. John Carmichael, D-Wichita, said reports of the latest security breakdown in the state’s information technology network followed improper release of personal data on workforce development participants, Social Security information about legislators and state government official.
“It should come as no surprise at all that KDADS is just as careless with our personal information as other agencies in state government,” he said.
In July 2017, hackers broke into the Kansas Department of Commerce's data system used by 10 states for workforce development and took millions of Social Security numbers.
KDADS confirmed the mishap moments before the Kansas House began debate on a pair of cybersecurity bills. The Legislature’s auditing division has produced a series of IT security reports, which remain confidential, that outlined serious shortcomings in computer systems at agencies large and small.
“We’re exposed. We are not doing a good job as a state,” said Rep. Jeff Pittman, a Leavenworth Democrat. “Some agencies are good. Some are not.”
KDADS said the improper email contained an attachment which included individual’s names, addresses, dates of birth, Social Security numbers, gender, in-home services program participation information and Medicaid identification numbers, KDADS said. The agency said no banking, credit card or driver license information was included in the attachment.
"We do not believe any of the information ended up in the wrong hands. It went to our contractors," said Angela De Rocha, spokeswoman at KDADS. "We are acting out of an abundance of caution."
The information was forwarded by an employee at KDADS to network offices of the Kansas Aging and Disability Resource Center, which is designed to be a source of objective assistance about services to seniors, people with disabilities and caregivers in making informed choices about services and supports.
Individual offices handling an applications receive personal information on specific individuals, KDADS said, but none should receive bulk emails with information on 11,000 people. KDADS said the contractors were asked to delete the large data files.
“The agency has put in place additional safeguards to ensure that an incident like this this does not occur again,” the agency said.