Share this article on:
Approximately 3,000 members of the Community Care Services Program of Georgia’s Department of Human Services Division of Aging Services (GDHSDAS) have been sent breach notification letters to advise them that a limited amount of their Protected Health Information (PHI) has been accidentally exposed.
The Community Care Services Program helps seniors stay in their communities, rather than being placed in a nursing home. The breach victims are therefore particularly vulnerable; although since Social Security numbers, contact information, dates of birth, and other highly sensitive data were not exposed, the risk of individuals coming to harm as a result of the breach is believed to be low.
Affected individuals have been told the breach was caused when an email containing patient names and “certain health diagnoses” was emailed to a contracted Business Associate.
According to Robyn A. Crittenden, Georgia’s Human Services Commissioner, “While we are confident that this data breach was limited in nature and [was] resolved almost immediately, we are obligated to ensure that our clients and the public can trust the integrity of our programs.” HIPAA requires all covered entities to issue breach notices if PHI has been exposed along with personally identifiable information.
The breach notice explains how the mistake was made, but it is not clear whether the email was sent to an incorrect recipient, if information was sent before a Business Associate Agreement was in place, or if data was sent without first being encrypted.
Crittenden said “We take client privacy very seriously, and it is important that the public is fully aware of this situation and aware of our efforts to prevent such an event in the future.” In order to reduce the risk of future data breaches of this nature occurring, GDHSDAS will be re-training the staff on data privacy, and will be implementing additional safeguards in all Division of Aging Services programs.
There have been a number of healthcare data breaches reported in recent weeks which have resulted from emails containing PHI being sent to incorrect individuals. On July 7, Integral Quality Care notified members of its Integral Health Plan that some of their PHI was accidentally sent to incorrect individuals. A similar e-mail error resulted in the PHI of 722 members of UPMC Health Plan being exposed in June.
Even with the most advanced and robust data security protections in place, PHI can all too easily be exposed. Errors made my members of staff are difficult to prevent, although regular training can help to reduce the risk of breaches occurring. Staff should also be instructed to take particular care when emailing any patient health information, and should check and double check the data and the intended recipient before the email is sent.
An email data breach may not result in any harm being suffered by patients, but the same cannot be said for the HIPAA-covered entity. The Office for Civil Rights investigates all data breaches, and can issue fines if HIPAA violations are discovered. Simple errors can prove to be extremely costly.