Share this article on:
Despite major efforts to secure its healthcare data from hackers and external threats, Rady Children’s Hospital has suffered a 14,121-record HIPAA breach after a member of staff made a simple error which resulted in six job applicants being provided with real data from its patients.
As part of an internal evaluation, job applicants were provided with data that had not been de-identified, which is a breach of the HIPAA Privacy Rule. The data included the patients’ names, dates of birth, medical records, insurance claim information and primary diagnoses, although no financial information or Social Security numbers were divulged and neither were patient addresses. The names of parents or legal guardians were not present in the data set. The breach affects patients who had visited the hospital for treatment between July 1, 2012 and June 30, 2013.
The data – in the form of a spreadsheet – was sent to the applicants via email; an insecure medium for transmitting PHI. The spreadsheet was emailed to four potential members of staff who had applied for data management positions at the hospital. The spreadsheet was also forwarded on to a further two individuals.
An investigation revealed that two of the people who received the data were unable to open it, so only four individuals are believed to have viewed the data. The applicants were contacted once the error had been discovered and were asked to delete the data. The hospital employed the services of an IT security technology firm which was able to confirm that the data had indeed been deleted by the applicants.
No further risk is believed to exist, but as a precaution the hospital rapidly assembled a task force – consisting of some 150 individuals – to contact all patients affected by the breach to inform them of the incident. Patients were contacted by telephone over the weekend of June 14/15 and were advised of the error and the fact that their data – and that of their children – had been compromised. The hospital also started sending Breach Notification letters to all affected patients on Monday of this week.
Internal Investigation Uncovered a Second HIPAA Breach
The investigation that was launched into the recent HIPAA breach uncovered a similar data breach with occurred in 2012. In this case, another member of the hospital staff had also sent an email to job candidates as part of a training exercise; in this case the data was sent to three individuals and contained the records of 6,307 patients.
This incident affected patients who had received treatment at the hospital between June 30, 2009 and June 30, 2010. This second HIPAA breach exposed a similar amount of data, which included patient names, the locations where treatment was received, discharge data, insurance information and outstanding balances. The hospital is also planning to contact these individuals, by telephone and mail, to advise them of the breach.
According to a statement released by the hospital, the most recent error was due to the wrong spreadsheet being attached to the email, while the earlier breach occurred because the member of staff concerned was not aware of the rules governing the use of PHI.
These incidents highlighted the need for further staff training on HIPAA Privacy and Security Rules. The hospital will be providing additional training sessions to the staff and will also be revising its policies and procedures. In future, Rady Children’s Hospital will only be using “validated testing programs” when conducting aptitude tests on potential employees.