Highline Medical Center Notifies Patients of PHI Exposure

Highline Medical Center in Burien, WA has informed 18,399 patients that their names, insurance details, Social Security numbers, and service dates were inadvertently exposed as a result of an error made by a former vendor. The error resulted in PHI being accessible over the Internet for a period of almost two months.

R-C Healthcare Management had been contracted to provide services to Highline Medical Center before it was acquired by CHI Franciscan Health in 2014. A limited amount of patients’ protected health information was provided to the vendor to enable these services to be provided. The data were used for cost reporting functions in 1993, 1994, and from 2008 to 2013.

While performing maintenance work on a server, an R-C Healthcare Management employee inadvertently removed security protections which prevented unauthorized individuals from outside the company gaining access to the data. The error was made on April 21, 2016 but was only discovered on June 13.

Upon discovery of the error, R-C Healthcare Management blocked external access to the files and informed Highline Medical Center of the potential breach. An investigation was conducted to determine whether PHI had been viewed during the time that it was exposed. No evidence was found to suggest any patient information was accessed, viewed, or copied by unauthorized individuals, although it was not possible to rule out the possibility that PHI had been compromised.

Out of an abundance of caution, all patients whose data were exposed have been offered a year of credit monitoring and identity theft protecting services without charge.

Highline Medical Center is committed to protecting the privacy of patients and continually improves policies and procedures to ensure that patient privacy is protected. That process will continue and efforts will be made to prevent future breaches of this nature. According to the breach notice submitted to the Vermont Attorney General’s office, “Upon validation of the completion of services, we will instruct R-C Healthcare to destroy the files.”

Highline Medical Center is the second R-C Healthcare Management client to announce it has been impacted by the error. Last month, Bon Secours Health System announced that 655,000 patients had had their PHI exposed as a result of the server configuration error.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.