Child and Family Services of New Hampshire, a non-profit agency, recently notified 23 residents of New Hampshire after their client files were stolen from a secure area in the agency’s main office in Manchester.
The files were stolen sometime between March 15 and March 18, and the theft was detected on March 19. Unfortunately, neither the police nor CFS’s review of its security tapes and records of access to the restricted area identified the thief.
In a letter dated April 11 to those affected, CFS noted that the files contained clients’ names, addresses, dates of birth, Medicaid numbers, and certain health information and notes from home visits. No Social Security numbers, bank account numbers or financial information were in the stolen files.
In notifying clients of the breach, CFS urged them to take some precautions. To that end, they attached an Access to Records Request form, and encouraged those affected to file the form with the New Hampshire Department of Health and Human Services to determine if there was any unauthorized use of their Medicaid number. CFS offered to reimburse for any copying fees the clients might incur associated with the request.
Actually, that may be one of the best notification letters I’ve ever seen as it was clearly written, provided the necessary information about what data types were involved, and facilitated clients protecting their Medicaid numbers by the inclusion of the form. The letter also ended with an appropriate recognition of the inconvenience this breach was to those affected, and how people could contact them via phone or email if they needed assistance. Well done, CFS.
The incident was reported to the state by the agency’s lawyers on April 22.