Baptist Health Data Breach Announced: 6500 Records Exposed

Share this article on:

On October 1, 2015, a Baptist Health data breach was added to the Department of Health and Human Services’ Office for Civil Rights breach portal. The breach report indicated the Arkansas-based healthcare provider had suffered a security breach which resulted in the Protected Health Information of 6,500 patients being improperly disclosed to a third party.

Breach notification letters were sent to patients on October 1, alerting them to the privacy breach. This was within the time frame required by the HIPAA Breach Notification Rule, although it has taken some time for further information about the data breach to emerge.

According to a HIPAA breach notification posted on the Baptist Health website, the security incident has been tied to a former Baptist Health provider, who allegedly exported data while employed at Baptist Health and sent that information to Bray Family Medicine, where the individual is now employed.

The security breach first came to light on August 6, 2015 when a Baptist Health patient complained about a letter that had been received from Bray Family Medicine, which the patient in question had previously had no contact with. More complaints were subsequently received about unsolicited mail and phone calls from other patients, who had been contacted by Bray Family Medicine informing them that a new clinic had been opened. The patients were provided with the option of switching healthcare providers.

Baptist Health launched an investigation into the privacy breach and determined that patient lists had been exported and the data “included contact information consistent with the reported marketing contacts.” This was a breach of privacy policy at Baptist Health, and occurred without the healthcare provider’s knowledge.

Other healthcare professionals, also previously employed at Baptist Health, have also joined the new clinic. According to Dana H. Williams, Privacy Officer for Baptist Health, “These providers are former employees of Baptist Health or Arkansas Health Group d/b/a Baptist Health Family Clinic-Arkadelphia, working in clinics in the Clark County and Hot Spring County areas.”

Although patient lists were passed on to Bray Family Medicine, no treatment information or other medical records were disclosed, and neither were financial information or Social Security numbers. However, the lists did contain patient names, dates of birth, contact telephone numbers, addresses, ethnicity, race, referring and rendering providers, and the last date the patients had visited the hospital for treatment.

It would appear that some patients have already responded to the requests, and have asked Baptist Health to release their medical records and pass them onto Bray Family Medicine. Baptist Health apologized to patients for the privacy breach and told them “as a health care provider, Bray Family Medicine and its employees are held to the same federal privacy requirements that we are.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On