Archive for HIPAA Violations
Women & Infants Hospital of Rhode Island agreed to a $150,000 settlement with the Massachusetts Attorney General for a November 2012 breach that affected more than 12,000 Massachusetts patients, according to Boston Business Journal.
The breach began in 2011 when the hospital transferred 19 unencrypted back-up tapes from the hospital’s prenatal diagnostic centers in New Bedford, Massachusetts, and Providence, Rhode Island, to a central data center for its parent company, Care New England Health System. The parent company then sent the tapes off-site for archival. In 2012, Women & Infants Hospital staff discovered that 12 of the tapes were missing. The tapes contained patients’ names, dates of birth, Social Security numbers, exam dates, and ultrasound images, as well as physicians’ names. Approximately 1,800 patients from other states were also affected, Boston Business Journal reported.
The Massachusetts Attorney General’s Office filed a complaint against Women & Infants Hospital of Rhode Island July 2, 2014, alleging that the hospital violated HIPAA by failing to track the back-up tapes and neglecting to notify affected patients of the breach in a timely manner. Under the settlement agreement, the hospital must maintain an inventory of its systems, custodians, and descriptions of unencrypted data and paper charts that contain PHI, Boston Business Journal reported.
In just one week, Rady Children’s Hospital-San Diego uncovered multiple breaches of PHI caused by human error that affected more than 20,000 patients, according to a hospital press release.
The first breach occurred June 6 and affected 14,121 patients admitted to the hospital from July 1, 2012, through June 30, 2013. The breach occurred when a hospital employee accidentally emailed a spreadsheet containing PHI to four job applicants when trying to send a training file to evaluate the applicants. Upon contacting the four applicants, the hospital learned that one forwarded the email and attachment to two additional people. The spreadsheet contained patients’ names, dates of birth, primary diagnoses, admit/discharge dates, and medical record numbers, as well as insurance carrier and claim information, according to the press release.
While performing an internal investigation following the June 6 breach, the hospital learned that a similar breach affecting 6,307 patients occurred in August, November, and December 2012. In this instance, a hospital employee emailed a test file containing PHI to three job applicants. An additional six applicants took the same test at the hospital, but were unable to save, store, or send the data. The test contained patients’ names, discharge dates, location they were seen, payer name, and balance, according to the press release.
A former East Texas hospital employee faces up to 10 years in prison for HIPAA violations, according to a press release from the U.S. Department of Justice.
Joshua Hippler, 30, formerly of Longview, Texas, faces charges for wrongful disclosure of individually identifiable health information. Hippler was accused of obtaining PHI with the intent to use it for personal gain while employed by the hospital in question from December 1, 2012, through January 14, 2013. A grand jury recently indicted Hippler, according to the press release.
Hackers recently gained unauthorized access to a computer server at the Montana Department of Public Health and Human Services (DPHHS), according to a statement released by the department.
Department officials began an investigation May 15 after detecting suspicious server activity. Investigators determined May 22 that hackers accessed a Montana DPHHS computer and gained access to client data including names, addresses, dates of birth, and Social Security numbers. Information about services the clients received or applied for may have been accessed as well. The Montana DPHHS shut down the server upon discovering the breach. The department notified affected individuals July 3 but does not believe anyone inappropriately used or accessed the data, according to the statement.
Several news outlets, including Reuters, reported that the hackers may have gained access to the personal information of 1.3 million individuals.
The hits just keep on coming. HHS announced June 23 that OCR entered into resolution agreement and $800,000 settlement with Parkview Health System, Inc., in Fort Wayne, Indiana, for alleged HIPAA Privacy Rule violations.
Parkview obtained the medical records of 5,000–8,000 patients while helping Dr. Christine Hamilton transition her patients to new providers upon her retirement. It was believed that the health system was interested in purchasing a portion of Dr. Hamilton’s practice. Parkview failed to safeguard the PHI of these patients when its employees left 71 cardboard boxes of these medical records outside the physician’s home while she was not there. The home is within 20 feet of a public road and is near a shopping center, according to the press release.
The resolution agreement provides that Dr. Hamilton filed the complaint against Parkview. The investigation revealed that when Parkview employees left the medical records at Dr. Hamilton’s home, they were aware that she was not there and had previously refused the delivery of the records.
Parkview’s corrective action plan states that it will do the following:
- Develop, maintain, and revise written HIPAA Privacy Rule policies and procedures for its workforce with HHS approval
- Distribute HHS-approved policies and procedures to members of its workforce
- Ensure that new, approved policies and procedures provide for administrative, technical, and physician safeguards to protect PHI
- Notify HHS in writing within 30 days of a violation of the new, approved policies and procedures
- Provide general safeguards training for its workforce members who have access to PHI