HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Highlands-Cashiers Hospital Reassures 25K Patients After Possible HIPAA Breach

Highlands-Cashiers Hospital of Macon County, North Carolina, has informed 25,000 patients of a security vulnerability that left the PHI of some of its patients unprotected for a period of four months, between May and September, 2014.

The healthcare provider employed a business associate, TruBridge, to handle some of its healthcare information however the company made a configuration error which potentially exposed the health records of approximately 25,000 individuals.

The vulnerability was discovered during routine security screening procedures on Sept 29. HCH identified information such as patient names, addresses, dates of birth, Social Security numbers, health insurance details, diagnoses and treatments were all potentially accessible and were not protected by the company’s firewall.

Immediate action was taken and new firewalls were installed to correct the issue and the data has now been made secure and there is believed to be no further risk of exposure. The hospital hired a forensic investigation company to assess the extent of the data breach and the investigation found no evidence that any information had been accessed, even though the data was freely accessible via the internet.
Hospital president, Craig James, does not believe the incident can be classed as a HIPAA breach because no data was viewed during the period in which it was potentially accessible. Patients were being notified of the outside possibility that their data had been viewed out of an abundance of caution.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident has prompted the hospital to contact its business associates and has communicated that the privacy and security of data must be maintained. According to James, “We take our responsibility to protect patient information very seriously and want to reassure you that safeguarding confidential information remains a priority for us.”

The security breach has not resulted in the termination of the contract with TruBridge, which will be continuing with the project it has been assigned as HCH advised the public that the company had been very cooperative in the investigation. The hospital plans to convert all of its IT systems over the course of the next 12 months now the company is under the Mission Health System, although it is currently undecided whether TruBridge will play a role in those plans.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.