Case Manager Duped naviHealth; Dignity Health Alerts Patients to Privacy Breach

Dignity Health is notifying 520 patients that their privacy was violated by a naviHealth employee who gained employment as a case worker using a false name and nursing license.

Dignity Health is a not-for-profit public benefit corporation operating in 17 states. The San Francisco-based health system is the fifth largest hospital system in the United States, and is the largest non-profit hospital provider in the state of California.

Dignity Health works with a large number of hospitals and provides in-home health services to patients after they have been discharged from hospital. Dignity Health outsources some of its services to the Nashville, Tennessee-based post-acute care management company naviHealth. naviHealth provides PAC management services to over 1.5 million beneficiaries throughout the United States.

On June 6, 2016., Dignity Health was informed by naviHealth that an individual had gained employment under false pretenses. The individual was employed by naviHealth as a case worker between June 2015 and May 2016. The case worker was provided with access to the protected health information (PHI) of 520 patients during the time of employment in order to complete work duties. All of the patients had previously received medical services at Mercy Medical Center Redding.

The PHI viewed by the individual included patients’ names, phone numbers, addresses, dates of birth, Social Security numbers, account numbers, medical record numbers, dates of service, and health insurance information which included member IDs and health plan numbers. Clinical information such as lab test results, medical diagnoses, provider notes, and treatment information was also accessed by the case worker.

Upon discovery of the problem, naviHealth terminated the case worker’s access to PHI and severed all ties with that individual. The matter was also reported to law enforcement and a criminal investigation has commenced.

While it does not appear that employment was sought by the individual with the purpose of gaining access to the PHI of patients, all individuals affected by the incident have been offered a year of credit monitoring services without charge.

naviHealth has taken a number of steps to prevent similar incidents from occurring in the future. All current employees have had their nursing licenses and other credentials checked for authenticity and naviHealth has determined that this was an isolated incident.

All calls made by the case worker were recorded and naviHealth has now reviewed the content of all of those calls and has assessed them for clinical accuracy. naviHealth will also be conducting more rigorous screening checks of all future workers prior to employment commencing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.