[A] survey snafu last week led to the disclosure of some Vermont Health Connect and Medicaid customers’ email addresses, state officials said Thursday.
In total, 127 people sent emails โ some inadvertently and some not โ to other health insurance consumers amid confusion about an online survey issued July 20 through the Department of Vermont Health Access.
The department said no other personal or health information was disclosed โ only email addresses. But officials have reported the issue to federal authorities, and they said the department’s privacy officer is working with those who were affected.
โWe take privacy very seriously and are committed to members’ privacy,โ said Sean Sheehan, the department’s deputy director of health access eligibility and enrollment.
The issue arose as the Agency of Human Services seeks ways to improve the process of applying for state benefits. Last week’s survey includes a variety of questions about residents’ experience with state programs like Vermont Health Connect, Medicaid, Reach Up, 3SquaresVT and low-income heating assistance.
โWe’re really looking for feedback from members and people that use the services,โ Sheehan said. A long-term goal, he added, is creating โone-stop shoppingโ for health care and other benefits.
In one sense, the survey is proving valuable: Sheehan said there have been more than 1,000 responses, and โwe’ve gotten some very helpful feedback.โ
โHopefully, we’ll continue to hear from more folks and will be able to continue to improve,โ he said.
But the survey also has caused trouble.
The department sent a link to the online survey in an email โusing the same distribution list that we use to contact members about open enrollment deadlines or resources for selecting a (health) plan,โ Sheehan said.
In all, that email went to about 37,000 people.
Sheehan said seven recipients, rather than clicking on the survey link, replied to the department’s email with questions โalong the lines of, ‘How do I know this is legitimate?’โ And due to an โerroneousโ email setting, those replies went to everyone on the distribution list.
The email went out at 11:20 a.m. July 20. โWithin two or three hours, we discovered the error, and we had the settings fixed by 2:45 (p.m.),โ Sheehan said.
Even after that fix, some confusion continued. About 120 people replied to the original seven emails sent by survey recipients, though by that point they could no longer reply to the entire distribution list.
The bottom line, officials say, is that the mishap caused the circulation of email addresses that are connected to Vermont Health Connect consumers.
But it’s not clear whether that could cause any issues under the federal privacy law known as HIPAA โ the Health Insurance Portability and Accountability Act.
HIPAA restricts the disclosure of โprotected health information.โ But Sheehan said email addresses alone would not fall under that category.
Rather, he said the addresses are classified as “personally identifiable information” because they don’t contain information about a person’s health care or health conditions.
Sheehan pointed out that, unlike high-profile consumer data breaches that have occurred across the country, the state’s survey glitch โhas a much more limited potential for misuse of personal information.โ
โIt’s certainly not the same potential for impact as having a Social Security number or a credit card exposed,โ he said.
But Sheehan also acknowledged that the department made a mistake in allowing for a โreply allโ scenario. He said officials have reported the problem to the Centers for Medicare & Medicaid Services.
Also, the department has sent a notice to those involved and has offered the services of a privacy officer โto see if they have any questions or want to talk about it,โ Sheehan said.
Officials also are taking steps to ensure the situation doesn’t reoccur.
That involves looking at technological fixes โbut also making sure there are the human steps โ a clear protocol to check all settings to make sure that they are proper, and to have a second person double-check those settings and the checklist to make sure everything is done right,โ Sheehan said.
Also, Sheehan said โwe could have been clearerโ about how survey recipients could ask questions.
โGoing forward, we’re going to make sure that any emails we send out have a very clear and easy way for people to (check) the legitimacy of the email,โ Sheehan said.
Mike Fisher, the state’s chief health care advocate, said his office has not received any complaints or questions about the matter.
โMistakes do happen,โ Fisher said. โIt sounds like Vermont Health Connect is really engaged in making sure this kind of mistake doesn’t happen again, and they’re providing the kind of supports that people need.โ
