Officials with the Kansas Department for Aging and Disability Services said Thursday that a staff member improperly disclosed personal information for 11,000 people in an email sent to multiple addresses.
Angela de Rocha, a KDADS spokeswoman, said the disclosure includes Social Security numbers, birth dates and other personal details of Medicaid recipients and potential recipients of the health care program.
Such personal details, particularly the combination of a Social Security number with a date of birth, can be all a criminal might need for identity theft.
The agency said it had no indication that the information has been misused or spread further. KDADS learned of the disclosure last month.
Gov. Jeff Colyer said that his administration is investigating the breach and that the worker was fired.
“I’m upset about it. I think that employee needed to be terminated. They were,” Colyer said. “We are going to be watching this. I want to make sure this does not happen again.”
The information was improperly emailed to local contractors with the state’s 11 area agencies on aging.
“KDADS emailed all of the individuals on the recipient list, advised them of the situation and asked them to delete or destroy the email,” de Rocha said. “In addition, they were asked to shred any printed copies.”
The state is contacting affected individuals to inform them about the data breach.
De Rocha said it would not have been a violation to send the personal information about a specific individual to the local organization assisting that person. The problem in this case, she said, was sharing the personal information of thousands of individuals with multiple organizations.
In a statement, the agency said “KDADS apologizes sincerely to the consumers affected for any distress or inconvenience this may cause. KDADS is undertaking an immediate review of policies and procedures relevant to preventing a similar situation from occurring.”
Democratic Rep. Jeff Pittman referenced the data breach during debate on the House floor Thursday. He said state agencies vary widely in security and that some aren’t doing enough to protect the personal data of Kansans.
“When that data gets out, their identity gets stolen,” Pittman said. “We are not doing a good job in terms of keeping our data secure.”
KDADS said people concerned about the breach can put a freeze or fraud alert on their credit report from the three major reporting bureaus: Equifax, Experian and TransUnion.
Stephen Koranda is Statehouse reporter for Kansas Public Radio, a partner in the Kansas News Service. Follow him on Twitter @KPRKoranda.