Multiple Data Breaches Reported by Dignity Health
Dignity Health has discovered multiple data breaches and violations of HIPAA Rules in the past few weeks. One incident involved an employee accessing the PHI of patients without authorization, an error occurred that allowed a business associate to receive PHI without a valid BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Business Associate Agreement Error Discovered
On May 10, 2018, Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health reports that on April 6, 2018, St Rose Dominican Hospitals shared the protected health information of 6,036 patients with a third-party contractor to process health-related court documents for hearings.
The contractor had been used for ten years and a valid business associate agreement was previously in place; however, that document had expired and data continued to be shared with the contractor due to a clerical error. Dignity Health reports that the manner in which the PHI was shared did not differ in any way to when the BAA was in place.
The matter has been rectified and further controls have been put in place to prevent similar errors from occurring in the future.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
Inappropriate Accessing of PHI by St. Joseph’s Hospital and Medical Center Employee
On June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center announced it had discovered an employee had been accessing the health information of patients without authorization for five months. During that time, portions of 229 patients’ records were inappropriately accessed.
The inappropriate accessing of health information was discovered during periodic review of PHI access logs. That review revealed one employee had been accessing patients’ health information from October 13, 2017 to March 29, 2018. During that time, the records of 229 patients were accessed.
The types of information that could have been viewed by the employee were restricted to names, dates of birth, demographic information, physicians’ and nurses’ notes and diagnostic information. The accessing of the information appears to have taken place out of curiosity rather than malicious intent.
Since no financial data or Social Security numbers were accessed, patients have been told they do not need to take any actions to protect their identities. Notifications have been issued as a precaution and to satisfy the requirements of HIPAA.
Dignity Health reports that appropriate disciplinary action has been taken against the employee for the violation of hospital policies and HIPAA Rules.
55,947-Record Email Breach Reported
On May 31, Dignity Health submitted a breach report to OCR that has been listed as an unauthorized access/disclosure incident involving email.
Dignity Health responded to a request from HIPAA Journal for further information about the breach and confirmed the incident impacted Dignity Health and its affiliates Dignity Health Medical Group Nevada, LLC, and Dignity Health Medical Foundation.
On April 24, 2018, Dignity Health discovered an email list formatted by its business associate, Healthgrades, contained an error that resulted in emails being misaddressed. Emails were sent to inform patients about a new online appointment scheduling tool.
While the email was sent to 55,947 patients, the only information disclosed was the patients name, and in some cases, the name of that person’s physician. Each email was inadvertently sent to one incorrect recipient only.
Steps have now been taken to prevent further incidents of this nature from occurring and patients have now been notified about the error.