HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Baxter Regional Home Health Alerts Patients to Potential PHI Exposure

Baxter Regional Home Health is alerting patients to a potential breach of their protected health information following a break-in at its facility in Cotter, Arkansas.  The break-in occurred during the night and was discovered on August 5, 2016.

The thieves did not steal any equipment containing electronic patient health information, but hard copy files were present in the facility. While Baxter Regional Home Health does not believe that any files were taken by the thieves, it is possible that PHI was viewed. The files contained a range of PHI including the names of patients who had previously received treatment from the facility. Baxter Regional Home Health employees were also potentially impacted.

The data in the files included patients’ names, phone numbers, addresses, Social Security numbers, dates of birth, government ID numbers, diagnostic information, and insurance details. Employees information included names, phone numbers, addresses, dates of birth, information about past employers, and licensure information.

The breach notice posted to the organization’s website does not indicate how many individuals have been impacted, although the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows the PHI of 2,124 individuals was potentially compromised.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Security at the facility is being improved to further protect patient health data. Locks have been changed and an alarm system and security cameras will be installed.

Baxter Healthcare Informs Patients of Privacy Breach

Illinois-based Baxter Healthcare has informed patients of a privacy breach that exposed their email addresses to members of the Patient Advisory Council. On September 15, 2016, an employee sent an email to 992 patients inviting them to take part in the Patient Advisory Council. However, the email addresses of patients were accidentally added to the ‘To’ field, rather than the BCC filed which masks email addresses from other members of the email group. No sensitive PHI was exposed as a result of the error.

Baxter Healthcare discovered the error the following day and attempted to recall the message, although it had already been delivered and had been viewed by a number of patients. To prevent future incidents such as this, Baxter Healthcare has provided additional training to employees. Additional safeguards are also being evaluated.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.