Archive for HIPAA Violations
The Colorado Department of Health Care Policy and Financing announced October 10 that it unintentionally exposed the PHI of approximately 15,000 behavioral health patients, according to a news release.
The department mailed survey postcards to patients receiving behavioral health services from Medicaid or the Department of Human Services’ Office of Behavioral Health. The survey asked patients to provide feedback about the behavioral health serviced they received, which is a violation of HIPAA because the postcard was not in an envelope and could be read by anyone, according to the news release. The postcards did not list patients’ Social Security numbers, but included the following:
- First and last names
- A return address for Thoroughbred Research Group, which helped conduct the survey
- The Colorado Department of Health Care Policy and Financing logo
The department learned about the incident September 9 and later notified affected patients by mail. The letter to patients states that the department mailed the postcards July 30 and September 3.
A former employee of Tri-City Medical Center in Oceanside, California, removed unauthorized ED logs containing the PHI of approximately 6,500 patients on August 8, according to a press release.
The former employee placed the records at the bottom of a cart he used when transporting his personal belongings from the hospital to his vehicle. The hospital used the logs in an onsite regulatory review the day prior to the theft, according to the medical center website. The former employee took the records to the San Diego Office of the California Department of Public Health, which oversees California hospital regulations. Tri-City Medical Center was in contact with the California Department of Public Health following the unauthorized removal of the logs from its premises, according to a breach notification letter sent to affected patients.
The paper logs contained the full names, dates of service, dates of birth, admitting physicians, medical record numbers, diagnoses and admit dates and times for patients admitted to the hospital or transferred to another facility from December 1, 2013 through May 13, 2014. The hospital alerted law enforcement officials of the incident, according to the press release.
The theft of three desktop computers at Bay Area Pain Medical Associates in Sausalito, California, may have exposed information about 2,780 patients, according to a sample notification letter released by the medical group.
Medical records stored on the desktop computers were encrypted, but the medical center suspects that an Excel® spreadsheet containing patient names and dates of service may have been accessible. Thieves broke into Bay Area Pain Medical Associates May 19. The theft was discovered the following day, at which time the medical center notified law enforcement officials, according to the letter.
HHS frequently stresses the importance of encrypting devices. In April, HHS released a statement that emphasized the need for encryption, citing two OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare.
Although some Bay Area Pain Medical Associates patient names on the computers may have been accessed following the break-in, the medical group stated in its letter that encryption would prevent the unauthorized disclosure of other PHI stored on the devices, including Social Security numbers and dates of birth.
Women & Infants Hospital of Rhode Island agreed to a $150,000 settlement with the Massachusetts Attorney General for a November 2012 breach that affected more than 12,000 Massachusetts patients, according to Boston Business Journal.
The breach began in 2011 when the hospital transferred 19 unencrypted back-up tapes from the hospital’s prenatal diagnostic centers in New Bedford, Massachusetts, and Providence, Rhode Island, to a central data center for its parent company, Care New England Health System. The parent company then sent the tapes off-site for archival. In 2012, Women & Infants Hospital staff discovered that 12 of the tapes were missing. The tapes contained patients’ names, dates of birth, Social Security numbers, exam dates, and ultrasound images, as well as physicians’ names. Approximately 1,800 patients from other states were also affected, Boston Business Journal reported.
The Massachusetts Attorney General’s Office filed a complaint against Women & Infants Hospital of Rhode Island July 2, 2014, alleging that the hospital violated HIPAA by failing to track the back-up tapes and neglecting to notify affected patients of the breach in a timely manner. Under the settlement agreement, the hospital must maintain an inventory of its systems, custodians, and descriptions of unencrypted data and paper charts that contain PHI, Boston Business Journal reported.
In just one week, Rady Children’s Hospital-San Diego uncovered multiple breaches of PHI caused by human error that affected more than 20,000 patients, according to a hospital press release.
The first breach occurred June 6 and affected 14,121 patients admitted to the hospital from July 1, 2012, through June 30, 2013. The breach occurred when a hospital employee accidentally emailed a spreadsheet containing PHI to four job applicants when trying to send a training file to evaluate the applicants. Upon contacting the four applicants, the hospital learned that one forwarded the email and attachment to two additional people. The spreadsheet contained patients’ names, dates of birth, primary diagnoses, admit/discharge dates, and medical record numbers, as well as insurance carrier and claim information, according to the press release.
While performing an internal investigation following the June 6 breach, the hospital learned that a similar breach affecting 6,307 patients occurred in August, November, and December 2012. In this instance, a hospital employee emailed a test file containing PHI to three job applicants. An additional six applicants took the same test at the hospital, but were unable to save, store, or send the data. The test contained patients’ names, discharge dates, location they were seen, payer name, and balance, according to the press release.