Even HHS Involvement Did Not Stop Months of Patient Privacy Breaches
A simple mistake can lead to the exposure of hundreds of private and confidential medical records, as discovered by Brooklyn marketing firm, APS Marketing Group. The company started receiving faxes containing the medical information of patients of an unnamed medical clinic in April, 2015. Despite efforts to contact the sender, the intended recipient, and the Department of Health and Human Services, the faxes kept on arriving. APS ended up receiving faxed medical documents for months on end and hundreds of patients had their medical records exposed.
The information contained in the documents included patient names, contact information, the medical test that had been requested, and in some cases, also Social Security numbers.
The error was caused as a result of a member of staff entering a fax number incorrectly. That simple mistake resulted in documents being sent to the wrong company, exposing the data of hundreds of patients. However, it is not the error that is worrying in this case, but how long it took for the HIPAA breaches to stop, even after the HHS got involved.
The faxes were intended for Quest Diagnostics, a provider of clinical laboratory services, but were not sent from an individual office but from many medical facilities in the New York Metropolitan area.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
Because the faxes were sent from multiple facilities, stopping them from being sent was not a straightforward process. APS contacted Quest Diagnostics, and the company agreed to look into the error, although the faxes continued to be received.
Even when the Department of Health and Human Services was alerted to the privacy breach, the faxes kept coming. According to an NBC 4 New York news report, the HHS agreed to look into the persistent HIPAA privacy breaches. APS eventually received a response from the HHS in the mail advising it that the matter would be resolved, and technical assistance would be provided to Quest Diagnostics.
However, faxes kept coming. APS followed up with the HHS and was advised that the complaint had been resolved and the case closed, even though the privacy breaches continued. It was only after the matter was reported to NBC’s I-Team and its reported started investigating and following up that the breaches stopped.
The Office for Civil Rights was criticized earlier this year by the OIG for its lack of follow ups with covered entities that had experienced HIPAA breaches. This incident would suggest there are still issues that need to be addressed. Not all HIPAA breaches warrant financial penalties, but when action is taken either against organizations or to assist them, those actions should, at the very least, prevent privacy breaches from continuing to occur. APS was not contacted by either Quest or the HHS after the initial letter was sent. How the case was closed when privacy breaches continued to occur is unclear.