Medicaid breached
Washington State Health Care Authority is warning that tens of thousands of people's client data was at riskiStock

Tens of thousands of people involved in a US government healthcare programme have been told their data may have been compromised, the Washington State Health Care Authority (HCA) has revealed.

The discovery came to light after a whistleblower brought forward evidence of "misuse of state resources". The HCA says its investigation found that sensitive health information of more than 91,000 Medicaid clients was "improperly handled" by two state employees.

The Medicaid programme affected is called Apple Health, which provides free or affordable healthcare to individuals with low incomes. Currently, the programme covers 1.8 million Washington state residents in total.

The authorities are in the process of notifying those affected that their social security numbers (SSNs), dates of birth, Apple Health client ID numbers and private health information have all been put at risk.

How did this happen?

Analysis suggests the suspected employees had swapped the confidential information between November 2013 and late 2015. According to The Seattle Times, the employees were a woman who worked for the state Health Care Authority (HCA) and her brother, who worked for the Department of Social and Health Services (DSHS).

"Two state employees in two state agencies exchanged Apple Health client files in violation of requirements under the federal Health Insurance Portability and Accountability Act (HIPAA)," the HCA said in a statement. Both employees have since been fired and federal officials have been notified of the incident.

Steve Dotson, HCA risk manager, said that the first priority for his department is to protect clients' personal data. "We have taken swift action to address this issue and help prevent future incidents. I know this is stressful and concerning for those impacted, and we are doing everything possible to support them," he said.

"While we have no indication that the client files went beyond the two individuals involved, important privacy laws were violated and we are exercising caution and due diligence given the nature of the information."

Washington State Health Care Authority has written to the victims, saying it will now set up one year of free credit monitoring for those involved.