Arkansas Attorney General (AG) Leslie Rutledge has advised the state’s medical practitioners of their responsibilities regarding when to report a data breach under the federal state’s Personal Information Protection Act (PIPA).

Meanwhile, in neighboring Tennessee the state-run medical service TennCare reported that 43,847 members had their information exposed in a data breach that took place two months ago.

The Arkansas AG’s office sent a letter to the state’s medical licensees detailing their responsibility.

PIPA requires individuals, agencies and businesses to notify the attorney general’s office at the same time as affected individuals or within 45 days if they experience a data breach that impacts more than 1,000 people. To make reporting easier an online form is now available at ArkansasAG.gov.

A notification is triggered if the following personal information being held by the medical facility is compromised.

  • Social security number
  • Driver’s license number or Arkansas identification card number
  • Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to any individual’s financial account
  • Medical information

The Tennessean reported TennCare’s pharmacy management vendor Magellan Health was was victimized when a staffer fell for a phishing scam. A TennCare spokesperson said the names, Social Security Numbers, member IDs, health plans, provider names and the names of drugs members have been prescribed were exposed.

A TennCare spokesperson said the organization withheld reporting the attack for two months so it could fully determine the extent of the damage and who was affected. Based on an investigation conducted by an outside firm neither TennCare nor Magellan Health believe the data has been accessed or attempted to use the member’s data.