Breach of Confidentiality

[ACL 15-56, IRS Code Sect 6103, SSA Public Law 98-369 Sect 1137]

It is the responsibility of every county employee to protect the security and confidentiality of client’s:

Medi-Cal PII
Federal PII
Federal Tax Information.

This section outlines the steps to be taken in the event of a real, perceived or potential Medi-Cal or Federal PII or FTI security incident. To minimize county-wide impact, it is imperative that a formal reporting and response policy be followed when reporting Medi-Cal or Federal PII or FTI security incidents.

This policy applies to all users and staff with direct or indirect access to Medi-Cal client information whether or not on County premises.

Responsibility

Designated personnel have the responsibility to take the action indicated in this section in a timely manner as dictated by the nature and severity of the incident. Those incidents having agency-wide implications should be given the most immediate attention, including escalation during any time period, 24 hours a day/7 days a week:

User

Reports any perceived Medi-Cal or Federal PII or FTI security incidents to his/her Supervisor or Manager.

Supervisor/Manager

Evaluates the reported security incident.
Keeps a record of actions taken.
Completes the “Medi-Cal Personally Identifiable (PII) Incident Report”
(SCD 2284), if the Medi-Cal or Federal PII or FTI could have been accessed or viewed by anyone other than those with direct business needs.
Submits the SCD 2284 within the date of discovery to the Medi-Cal/Federal PII and FTI Security Coordinator at 333 W. Julian Av.
Takes prompt corrective action to reduce the risk of similar incidents.

Medi-Cal/Federal PII and FTI Security Coordinator

Receives the SCD 2284 and notifies the appropriate agencies if the information breach involved any Information Systems Asset.

Frequently Asked Questions

The following are frequently asked questions concerning a breach of confidentiality:

What is a privacy or security breach?

A privacy or security breach is an intended or unintended unauthorized disclosure of client Medi-Cal data or PII. Privacy or security breaches may be paper or electronic. If the breach involves computerized information that is unencrypted; including name, SSN, DMV financial account information, then the breach triggers state breach notification law.

What are some examples of privacy or security breaches that involve paper?

Misdirected paper faxes with PII outside of Santa Clara County’s Social Service Agency.
Loss or theft of paper documents or listings containing PII.
Mailings to incorrect providers or beneficiaries.

What are some examples of electronic privacy or security breaches?

Stolen, unencrypted laptops, hard drives, PCs with PII.
Stolen, unencrypted thumb drives with PII.
Stolen briefcases with unencrypted compact discs containing PII.
Misdirected electronic fax with PII to persons outside of Santa Clara County’s Social Services Agency.

If some of the information is stolen or otherwise involved in a privacy or security breach, does this mean that the client is a victim of identity theft?

No, this does not mean that the client is a victim of identity theft. The fact that some of the information may have been involved in a privacy breach does not mean that a person attempted to or did access the information or that the information has been used inappropriately. Clients may be advised to place a fraud alert on their credit files and review their credit reports.

How will clients know if any of their personal information was used by someone else?

The best way to find out is for them to order their credit reports from the three credit bureaus: Equifax, Experian and Trans Union. If they notice accounts on their credit report that they did not open or applications for credit (“inquiries”) that they did not make, these could be indications that someone else is using their personal information, without permission.

Do clients have to pay for a credit report?

As a possible fraud victim, they are entitled to a free copy of their credit report. They can call any one of the three credit bureaus at the numbers provided and follow the “fraud victim” instructions. They will automatically place a fraud alert on their credit file with all three of the bureaus.
They will soon receive a letter from each bureau confirming the fraud alert and telling them how to order a free copy of their credit report. Clients should follow the instructions in the letters to receive their free reports.
- NOTE: This free credit report that they are entitled to as a potential fraud victim is in addition to the free annual report that everyone is now entitled to. Clients should be referred to www.privacy.ca.gov for more information on the free annual report.
Trans Union - 1-800-680-7289
Experian - 1-888-397-3742
Equifax - 1-800-525-6285

Are credit bureaus going to ask for the client’s SSN? Is it okay to provide it?

The credit bureaus ask for an SSN and other information in order to identify the client and avoid sending their credit report to the wrong person. It is okay for the client to give this information to the credit bureau that they call.

Does the client have to call all three credit bureaus?

No. If they call just one of the bureaus, that bureau will notify the other two. A fraud alert will be placed on their file with all three and the client will receive a confirming letter from all three.

Why can’t the client talk to someone at the credit bureaus?

They must first order their credit reports. When they receive their reports, each one will have a phone number they can call to speak with a live person in the bureau’s fraud unit. If they see anything on any of their reports that looks unusual or that they don’t understand, they may call the number on the report.

What is a fraud alert?

A fraud alert is a message that credit issuers receive when someone applies for new credit in their name. The message tells creditors that there is a possible fraud associated with the account and gives them a phone number to call (the client’s) before issuing new credit. When the client calls the credit bureau fraud line, he/she will be asked for identifying information and will be given the opportunity to enter a phone number for creditors to call. The client may want to make this his/her cell phone number.

Will a fraud alert stop the client from using his/her credit cards?

No. A fraud alert will not stop the client from using your existing credit cards for other accounts. It may slow down his/her ability to get new credit. Its purpose is to help protect the client against identity thieves trying to open credit accounts in their name. Credit issuers get a special message alerting them to the possibility of fraud. Creditors know that they should take “reasonable steps” to re-verify the identity of the person applying for credit.

How long does a fraud alert last?

An initial fraud alert lasts 90 days. An alert can be removed by calling the credit bureaus at the phone number given on a credit report. If the client wants to reinstate the alert, he/she can also do so.

What if the client has a fraud alert on, but wants to apply for credit?

The client should still be able to get credit. While a fraud alert may slow down the application process, the client can prove his/her identity to a prospective creditor by providing identifying information.

How long does it take to receive a credit report?

It could take about 20 days from the day the client calls the credit bureaus. It takes about 5 to 10 days from the time the client calls the credit bureaus to get his/her fraud alert confirmation letter with instructions on ordering his/her credit report. The client should receive his/her reports in another 5 to 10 days from the time they are ordered.

Should the client contact the Social Security Administration and change his/her SSN?

The Social Security Administration rarely changes a person’s SSN. The mere possibility of fraudulent use of your SSN would probably not be viewed as a justification. There are drawbacks to doing so. The absence of any history under the new SSN would make it difficult to get credit, continue college, rent an apartment, open a bank account, get health insurance, etc. In most cases, getting a new SSN would not be a good idea.

Should the client close his/her bank account?

No, not unless the client’s bank account number was among the items of personal information compromised in the breach. As a general privacy protection measure, the client should limit the use of your SSN where it's not required. For example, if his/her bank account number or PIN is the client’s SSN, he/she should ask the bank to give him/her a different number. Clients should NOT use the last four digits of their SSN, their mother’s maiden name or their birth date as a password for financial information.

Should the client close his/her credit card or other accounts?

No, not unless his/her account number was among the items of personal information compromised in the breach. As a general privacy protection measure, the client should always look over his/her credit card bills carefully to see if there are any purchases he/she didn’t make. If so, the card company should be contacted immediately.

What should a client look for on his/her credit report?

The client should look for any accounts that he/she doesn’t recognize, especially accounts opened recently. Clients should look at the inquires or requests section for names of creditors from whom they haven’t requested credit. It should be noted that some kinds of inquiries, labeled something like “promotional inquiries,” are for unsolicited offers of credit, mostly from companies with whom they do business.
Clients should not be concerned about those inquiries as a sign of fraud. (Persons are automatically removed from lists to receive unsolicited pre-approved credit offers when a fraud alert is placed on an account. Offers can also be stopped by calling 888-5OPTOUT).
Clients should look into the personal information section for addresses where they’ve never lived. Any of these things might be indications of fraud. Also they should be on the alert for other possible signs of identity theft, such as calls from creditors or debt collectors about bills that they don’t recognize, or unusual charges on their credit card bills.

What happens if the client finds out that they have been a victim of identity theft?

The client should immediately notify his/her local law enforcement agency, contact any creditors involved and notify the credit bureaus. For more information on what to do, they should view the Identity Theft Victim Checklist on the Identity Theft page of the California Office of Privacy Protection’s Website at www.privacy.ca.gov.

How often should a client order new credit reports and how long should he/she go on ordering them?

It might be a good idea for clients to order copies of credit reports every three months for a while. How long they continue to order them is up to them. Identity thieves usually, but not always, act soon after stealing personal information. We recommend checking credit reports at least twice a year as a general privacy protection measure.

I heard that the client could “freeze” his/her credit files. How does that work?

A security freeze is a stronger measure than a fraud alert. A freeze prevents others from seeing the client’s credit history without his/her permission. Unlike the fraud alert that lasts 90 days, a credit freeze remains in effect until such time as the consumer elects to terminate the freeze. It costs $10 to place a freeze with each of the three credit bureaus, for a total cost of $30. The client can also temporarily lift the freeze for $10, if he/she wants to apply for new credit. For more information on the freeze, the client should view the Identity Theft page of the Office of Privacy Protection’s Website: http://www.privacy.ca.gov/cover/identitytheft.htm. If the client has no internet access, they may call the California Office of Privacy Protection at 1-866-785-9663.

If the notice is addressed to a child who is a minor, what should the client do?

The client should call each of the credit bureaus at the numbers in the notice letter. The fraud cues on the automated system should be followed and the child’s information entered. If he/she gets a message of “report not found” or something of that nature, that’s good. That means the child doesn’t have a credit history. A creditor doing a credit check would get the same message, pretty much eliminating the risk of new credit being established in the child’s name. The client may want to go through this process every few months for six months to a year.
If the fraud alert process goes through, then the client will receive a confirming letter in the mail from each of the credit bureaus with instructions for ordering his/her child’s credit report. The client should check the report(s) and call the credit bureaus about any information that looks suspicious or inaccurate.

If the notice is addressed to the client’s spouse, who is deceased, what should the client do?

The client should call each of the credit bureaus at the numbers in the notice letter. The fraud cues should be followed and the deceased person’s information entered. If the message received says “reported deceased” or “no report on file” or something of that nature, that’s good. That means the credit bureaus have been notified by the Social Security Administration that the holder of the SSN is deceased.
A creditor doing a credit check would get the same message, pretty much eliminating the risk of new credit being established in the deceased person’s name/number.
NOTE: Counties notify SSA when a death certificate is filed.

If the fraud alert process on the automated phone system goes through, that may mean that the credit bureaus haven’t been notified of the death. In that case the spouse (or the executor of the state) would notify the credit bureaus in writing that the person is deceased and that the person’s information may be at risk of identity theft. The credit bureaus will flag the file as deceased. The spouse (or executor) must include the following information in the letters to the credit bureaus:

Deceased’s full name, date of birth, most recent address and SSN.
Copy of the death certificate.
The spouse may request and receive a copy of the deceased’s credit report at the spouse’s home address.
An executor wishing to receive a copy of the deceased’s credit report should enclose a copy of the executorship papers.

Mail to the credit bureau addresses below: