Newark Beth Israel Medical Center Suffers Second HIPAA Breach
A second data breach has occurred involving Newark Beth Israel Medical Center, with the latest incident potentially exposing the Healthcare data of 1,744 patients. Earlier this year the hospital learned of a data breach affecting 956 of its patients.
The latest breach also involved a Business Associate of the Saint Barnabas Health System, in this instance, Professional Transcription Company, Inc. (PTC).
The data breach is understood to have occurred on or around New Year’s Day, 2010, according to a breach notification published on the hospital’s website. PTC is contracted to provide transcription services for dictated physician reports and is therefore required to have access to certain Protected Health Information of patients.
However, the company inadvertently posted some clinical reports containing PHI on a website which could potentially have been accessed by unauthorized individuals. The reports contained the full names of patients, their dates of birth, medical record numbers, hospital account numbers, physician’s name, diagnoses of medical conditions, treatments received and discharge dates. Potentially other clinical information could have been exposed, although no Social Security numbers, home addresses or financial information was accessible at any point during the data breach.
The breach notifications sent to the affected individuals inform them that their data has potentially been accessible for a period of 10 months and that the reports have now been taken offline and secured. Patients were advised that a full investigation of the incident has been demanded and PTC will be complying. PTC will also be implementing a number of new security measures to ensure all PHI is properly protected to prevent any further data breaches.
Newark Beth Israel has no reason to believe that any of the information was inappropriately accessed during the time it was accessible via the internet, although all affected individuals have been advised to monitor their finances and credit for signs of fraudulent activity. The threat of identity theft or medical insurance fraud is considered to be low.
Professional Transcription Company appears to be liable for the HIPAA breach, although questions are likely to be asked about the data security policies and procedures covering business associates and contractors of the Saint Barnabas Health System and its affiliated hospitals. The Office for Civil Rights may choose to investigate the breach to determine whether HIPAA data security rules have been violated. It has the authority to issue substantial fines for the unauthorized disclosure of Protected Health Information.