Mailing Error Results in PHI Exposure of Belgrade Regional Health Center Patients
When a physician’s assistant left the Belgrade Regional Health Center, a letter was sent to patients to tell them about the impending change in personnel; however, that letter also resulted in a breach of 854 patients’ Protected Health Information (PHI). The mailing took place on October 21, 2015 and patients first started notifying the health center of the error two days later when the letters started to be received.
An investigation into the incident revealed that an error had been made with the mail merge; a step in the mailing process that can easily result in the accidental disclosure of patient PHI. The error was made by a mailing vendor of the health center. A number of other healthcare providers have also experienced very similar privacy breaches this year.
In this case, the letters included the correct patients name and address, but also the name and address of another individual. The inclusion of an incorrect name and address also indirectly disclosed that that individual was a patient of Belgrade Regional Health Center.
Breach notification letters have now been sent to patients affected by the breach, and the privacy incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Simple Errors Can Result in Considerable Costs, Even When a Limited Amount of PHI is Exposed
Patients of the HealthReach Community Health Centers’ facility will in all likelihood not suffer any harm or loss as a result of the breach, but a full breach response was required nonetheless. Breach notification letters had to be sent to patients, a breach notice issued to the OCR, and an investigation into the incident launched.
The cost of the breach response in this case did not include the provision of credit monitoring and identity theft protection services. It is too early to tell for certain, but the breach is unlikely to warrant an OCR or attorney general fine. A simple breach such as this may however trigger an OCR investigation and that could uncover other more serious procedural issues.
A minor breach of PHI such as this is unlikely to result in a successful lawsuit for damages, but a lawsuit may be launched by breach victims nonetheless, the defense of which would result in costs being incurred. Patients’ faith in the health center’s ability to keep their PHI private is also likely to be affected. The cost of the incident could therefore be considerable, even though only a very limited amount of data were exposed.
The seriousness of data breaches such as these is on a different scale to a cyberattack or theft of a healthcare laptop, but they do have an impact on patients and they do involve costs being incurred.
With this in mind, a wise precaution would be to introduce policies to ensure that patient mailings are checked prior to letters being sent. Since a mail merge error may be introduced at any point in a mailing list, checking numerous mailings for errors, at the start and end of a run, would help to catch mistakes before patients are impacted. By so doing, considerable costs could be avoided.
It is up to the healthcare provider to ensure that mailing vendors are instructed to conduct such checks, and that they are stipulated in Business Associate Agreements (BAAs).