HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Baptist Health Data Breach Announced: 6500 Records Exposed

On October 1, 2015, a Baptist Health data breach was added to the Department of Health and Human Services’ Office for Civil Rights breach portal. The breach report indicated the Arkansas-based healthcare provider had suffered a security breach which resulted in the Protected Health Information of 6,500 patients being improperly disclosed to a third party.

Breach notification letters were sent to patients on October 1, alerting them to the privacy breach. This was within the time frame required by the HIPAA Breach Notification Rule, although it has taken some time for further information about the data breach to emerge.

According to a HIPAA breach notification posted on the Baptist Health website, the security incident has been tied to a former Baptist Health provider, who allegedly exported data while employed at Baptist Health and sent that information to Bray Family Medicine, where the individual is now employed.

The security breach first came to light on August 6, 2015 when a Baptist Health patient complained about a letter that had been received from Bray Family Medicine, which the patient in question had previously had no contact with. More complaints were subsequently received about unsolicited mail and phone calls from other patients, who had been contacted by Bray Family Medicine informing them that a new clinic had been opened. The patients were provided with the option of switching healthcare providers.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Baptist Health launched an investigation into the privacy breach and determined that patient lists had been exported and the data “included contact information consistent with the reported marketing contacts.” This was a breach of privacy policy at Baptist Health, and occurred without the healthcare provider’s knowledge.

Other healthcare professionals, also previously employed at Baptist Health, have also joined the new clinic. According to Dana H. Williams, Privacy Officer for Baptist Health, “These providers are former employees of Baptist Health or Arkansas Health Group d/b/a Baptist Health Family Clinic-Arkadelphia, working in clinics in the Clark County and Hot Spring County areas.”

Although patient lists were passed on to Bray Family Medicine, no treatment information or other medical records were disclosed, and neither were financial information or Social Security numbers. However, the lists did contain patient names, dates of birth, contact telephone numbers, addresses, ethnicity, race, referring and rendering providers, and the last date the patients had visited the hospital for treatment.

It would appear that some patients have already responded to the requests, and have asked Baptist Health to release their medical records and pass them onto Bray Family Medicine. Baptist Health apologized to patients for the privacy breach and told them “as a health care provider, Bray Family Medicine and its employees are held to the same federal privacy requirements that we are.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.