It happens to the best of us.

We realize a split second after sending an email that we left someone cc’d that we shouldn’t have or that we forgot to attach the most recent .PDF of a report. While these are relatively minor faux pas, it can happen on a grander scale, with more serious consequences. 

An employee at Iowa Total Care, Inc., a managed care organization based in Des Moines, assuredly knows that feeling well now. The organization, a health plan that's a subsidiary of Centene, a large, publicly traded managed care organization based in Missouri, recently acknowledged an email error that accidentally resulted in the information of 11,581 patients being sent to the wrong person.

According to reports, the employee mistakenly sent an Excel spreadsheet containing claims data to a large provider organization. While ordinarily this might not be a problem, this file contained protected health information (PHI) belonging to patients who had not received medical care there. The Excel sheet contained information like names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes. The information of 11,581 patients

The recipient reportedly never shared or copied the spreadsheet and instead deleted it. To address the security lapse, the healthcare facility claims it has re-educated the employee and implemented additional safeguards to prevent an incident like this from happening again.

As the provider is a HIPAA covered entity, it was required to inform the U.S. Department of Health and Human Services' Office for Civil Rights; the breach appears on OCR's Breach Portal with a submission date of June 23.

HIPAA's Privacy Rule requires covered entities to implement safeguards to protect sensitive patient data like PHI but at first glance it's unclear exactly what mechanisms Iowa Total Care had in place. Healthcare record breaches are a dime a dozen these days - they can easily pile up, leading to a compliance nightmare - but having a solution in place that can see, classify, and protect data like Medicaid numbers could have prevented PHI egress in the first place and diminished the chance of the data getting shuffled off via email.