The Department of Health Care Services said Monday it has breached the privacy of 49,352 people who receive adult day-care services from the state.
The department said that letters it mailed a week ago to 49,352 Medi-Cal beneficiaries wrongly included each patient's Social Security number on their address labels.
The department said the security incident took place Feb. 1, but it was only told about it on Thursday. It started to notify the 49,352 beneficiaries about the problem over the weekend.
"At this point, there is no evidence that unauthorized parties have acquired or accessed beneficiary personal information," the department said in a prepared statement.
DHCS officials said they regretted the breach, which has so far cost the state $50,000. It blamed itself and a private vendor for the problem mailings.
Karen Johnson, a deputy director at the department, said officials are investigating and will figure out who pays for what when they get the findings.
On Saturday, the department said it began sending notification letters to the 49,352 beneficiaries alerting them to the security breach.
The letter also advised beneficiaries how to protect themselves from identity theft by contacting the three credit reporting agencies and placing a fraud alert on their files.
Department of Health Care Services Director David Maxwell-Jolly said the breach occurred when officials sent a notice to beneficiaries, entitled: "Notice of Change in Medical Necessity and Eligibility Criteria for Authorization of ADHC Services."
In preparing a mailing list, beneficiaries' Social Security numbers were mistakenly included on mailing labels.
"We have implemented additional safeguards governing the release of Social Security numbers, and our mailing vendor has implemented additional quality control measures to prevent such errors from occurring in the future," Maxwell-Jolly added.
"We regret this error. We will redouble our efforts to ensure that all beneficiary information entrusted to the state is aggressively and appropriately protected," he added.
The SSNs didn't have spaces or dashes and may have appeared to be a random nine-digit number to people other than recipients, the department said.