A security incident at a Medicaid provider in Ohio last month might have resulted in data theft, the health department reported.
The Ohio Department of Medicaid revealed on Monday that an unknown party accessed data in the care of Maximus, the company’s data management provider, in May without authorization.
Maximus is a multinational, leading global provider of Medicaid enrollment services. Founded in 1975, it provides information technology services. It has 30,000 staff globally, and 11 call centers in nine states in the United States.
The affected individuals included individuals who received Medicaid benefits under the state’s program. The exposed information included names, dates of birth and Social Security numbers.
Besides the exposure, data of Medicaid patients or beneficiaries was not affected by the security incident that occurred from May 17 to May 19.
Maximus said that it acted swiftly to prevent any adverse impact, which may have prevented more serious consequences of the incident. The hacker was able to access the information through an application. After finding the intrusion, Maximus immediately took it down and contacted law enforcement.
An investigation was launched into the data breach and is being monitored by the Medicaid department.
Those affected by the incident are being given two years of free credit monitoring services.
Maximus is not new to data breaches. In May 2018, the company notified about a data breach that affected thousands of patients. The issue at the time was caused by a printing error. As a result participants in Medicaid and the Children’s Health Insurance Program (CHIP) received a latter not intended for them. Then, in February 2018, Business Ink, the data company’s print vendor, inadvertently sent out letters that contained personal information, such as email addresses and group and case numbers.