By Rachel Lerman / Skagit Valley Herald
MOUNT VERNON— Skagit County will pay $215,000 and has agreed to monitoring in a resolution agreement with the U.S. Department of Health and Human Services due to a 2011 exposure of county Public Health Department receipts containing protected health information.
The county discovered in September 2011 that receipts from the department were “inadvertently moved to a county public Web server” that was accessed by Google’s search engine for a twoweek period, according to a county news release.
The payment receipts, for services between January 2011 and September 2011, contained information about certain services provided by the department, including a short description of the service without details, the patient’s name and the cost and date of the service. They did not include full credit card numbers, Social Security numbers, birthdates or addresses.
The county learned of the data release in September 2011 when a patient called because she had found the information during a Google search, said Donnie LaPlante, Skagit County privacy officer.
The county reported the release to the public in November 2011.
The county has since had a cyber-liability security expert conduct a risk analysis of its management of protected information. The county made a risk-mitigation plan, updated policies, provided security training and installed new firewalls, LaPlante said.
The receipts were inadvertently coded to be placed on a public server, when they should have been coded for a private server, he said.
“They shouldn’t have been placed on the server that they were placed on,” LaPlante said. “As soon as we discovered it, we removed them.”
The county didn’t receive any other calls about the information apart from the one that tipped them off.
“Skagit County understands the importance of safeguarding our patients’ personal information and takes this responsibility very seriously,” LaPlante said in a prepared statement. “We regret that this incident occurred, and are committed to preventing any future occurrences.”
The county is working with Health and Human Services as part of a corrective action plan to make sure it meets personal health information protection requirements. The plan includes developing additional written policies and training staff, LaPlante said.