HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach

DJO Global, a provider of medical technologies to help patients maintain and regain natural motion, has discovered that some patients’ information has been exposed, and potentially disclosed, to unauthorized individuals.

Individuals who had received a DJO Global device in the emergency room, Urgent Care Site, or the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV between July 17 and October 16, 2017 have potentially been affected.

Those individuals are likely to have signed a DJO Global Patient Product Agreement confirming they had received one of the company’s devices. Those consent forms should have been sent to DJO Global; hhowever, a batch of consent forms was not received.

A DJO employee collected the forms from St. Rose Dominican Hospital and should have taken them to DHL to be delivered to DJO Global; however, the forms were lost in transit. They are believed to have been lost between collection from the hospital and delivery to DHL.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The forms contained the following information: Name, phone number, address, birth date, physician name and location, product order date, product information, date of injury, diagnosis code(s), health plan identification number, and health plan information. Some patients whose health plan uses Social Security number as patient identifiers would also have had their Social Security number exposed.

DJO Global has not received any reports to suggest patients’ exposed information has been misused, although since it is possible that the forms have been obtained by a third party, data misuse is a possibility. To ensure that patients are protected, all have been offered complimentary credit monitoring services for 12 months. Patients have also been advised to place a fraud alert on their credit files, to obtain copies of their credit reports, and to check their explanation of Benefits statements carefully for any sign of fraudulent activity.

DJO Global has responded to the incident by changing polices and procedures for mailing and has implemented new quality controls to prevent similar incidents from occurring in the future. Its vendor has also received further training on the importance of securing and protecting patient health information.

Patients impacted by the incident have now been notified by mail, and the Department of Justice and Department of Health and Human Services’ Office for Civil Rights have been notified of the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.