HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

BA Error Exposes PHI of Patients for Four Months

An error by a business associate of Carle Health System has resulted in the protected health information of 1,185 patients being made accessible to unauthorized individuals. The error occurred on February 17, 2016 and was not discovered until June 14.

Files containing PHI had been supplied to the business associate in order for specific contracted duties to be performed. However, the files were copied onto a Carle server that could be accessed by other vendors who were not authorized to view PHI.

According to a press release issued by Carle, the server was used for sharing large documents but the business associate was unaware that the server was not supposed to be used for sharing protected health information.

No evidence has been uncovered to suggest that the files were accessed by other vendors, and at no point were the data accessible via the search engines. The server could only be accessed if a user name and password were entered, although login credentials had been supplied to a number of Carle vendors.

Please see the HIPAA Journal Privacy Policy

Patients have been notified of the potential privacy breach as a precaution. Letha Kramer, vice president of Carle Health System and chief risk and corporate integrity officer, explained in a statement “if the information is out there that could be viewable by others, we take that very seriously.”

Individuals affected by the potential privacy breach had received medical services from Carle Foundation Hospital in Urbana, Illinois between November 1, 2015 and January 31, 2016. The files contained patients’ names, along with medical record numbers, reasons for visits, dates of service, physicians’ names, diagnosis and treatment codes, and internal account numbers. Social Security numbers, insurance details, and financial information were not exposed at any point.

To reduce the risk of similar incidents occurring in the future, Carle Health System will be increasing its education efforts and will ensure that patient health information is transferred securely in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.