More than 100 Lauderdale County employees had their sensitive information shared via email to other employees covered by the county's healthcare plan in an accidental exposure Tuesday.
Personal information in the email included names, social security numbers and phone numbers. Chris Lafferty, the county administrator, inadvertently shared the information in a county-wide email sharing health insurance information.
"I want to give you exactly what the (Board of Supervisors) and I see concerning your health insurance. You'll see that we are not saving any money," Lafferty said in the email. "If the current trend continues, the employee portion will most likely go up."
Emails shared with The Meridian Star didn't include the sensitive information, but showed the cost of care for the county, broken down by "diagnosis chapters" such as infectious diseases, mental disorders, pregnancy, congenital anomalies and more. Individual's names were not listed next to those treatments. An estimated annual cost to the county from Benefits Management Group predicted healthcare for employees would cost the county more than $2 million annually.
"We did have a data breach and we're working on it," Jonathan Wells, the board president and representative for District 1, said in a phone interview Thursday. "We're addressing it and looking at ways we can move forward."
In the Tuesday email, Lafferty encouraged county employees to use the MD Live tele-med system "when appropriate" but repeatedly said the encouragement wasn't to dissuade employees from seeking medical treatment.
"(MD Live) is a wonderful service that does not cost you anything and you do not have to wait in waiting rooms. You simply call the number and they call you back. I'm also asking that you not use the Emergency Room as your normal doctor. ER visits costs (sic) a fortune," Lafferty said. "But again- if you feel as if you need to go to the ER, then you should go. We are not suggesting that you not seek any medical treatment."
According to mdlive.com, the system allows customers to visit a doctor, counselor, psychiatrist or dermatologist via a mobile app, video or phone.
"Visits are convenient, private and secure. Protection of your personal information is our priority," the website said.
Lafferty sent another email Thursday morning, at 8:20 a.m., and copied the board's attorney, Lee Thaggard.
"As most of you know by now I erroneously sent an email yesterday that contained personal information. I immediately notified the Board President and told him what I had done and what the plan was. It is 100% my fault," Lafferty said. "I understand the concerns some of you have. Thankfully my bond will cover any issues that come up and are proven to be related to my mistake. I'm also thankful it takes a lot more information to damage people. Before we jump to conclusion (sic), let's take a step back and watch the situation. I'm confident, as are most of you, that the problem will take care of itself."
Lafferty attached four resource links for employees to protect their information "as this unfolds."
On Thursday, Wells said he had concerns about media reporting on the breach, saying putting the information out there could increase people's risk.
"Some of my coworkers' names are on that list," Wells said. "It affected everyone from the bottom to the top. There are people on the 11th floor (where the supervisors' offices are) whose names are on that list."
Wells said supervisors would look into software that could pull the information back and alert employees about unauthorized access to their information.
"As soon as it happened, I was made aware... no one is putting the blame anywhere else and I've gotten positive feedback about that," Wells said.
When asked if county residents should be concerned about their sensitive information, such as addresses or social security numbers, being stored at any government offices, Wells said the email affected only county employees.
"I don't see a private citizen's information being released," Wells said.
The Star reached out to Lafferty for additional comment. In an email he stated he was confident responses from Wells as the board president would be sufficient.
The Star requested comment from Lafferty on the county's protocol for handling sensitive information and privacy violation concerns under HIPAA's protected health information, part of the Health Insurance Portability and Accountability Act of 1996, which can include "many common identifiers (e.g., name, address, birth date, Social Security Number)," according to the U.S. Department of Health & Human Services.
Some employees on the list who were contacted by The Star said they didn't realize their personal information had been shared. All those contacted by The Star declined comment or didn't return phone calls.