Archive for HIPAA Violations
A former employee of Tri-City Medical Center in Oceanside, California, removed unauthorized ED logs containing the PHI of approximately 6,500 patients on August 8, according to a press release.
The former employee placed the records at the bottom of a cart he used when transporting his personal belongings from the hospital to his vehicle. The hospital used the logs in an onsite regulatory review the day prior to the theft, according to the medical center website. The former employee took the records to the San Diego Office of the California Department of Public Health, which oversees California hospital regulations. Tri-City Medical Center was in contact with the California Department of Public Health following the unauthorized removal of the logs from its premises, according to a breach notification letter sent to affected patients.
The paper logs contained the full names, dates of service, dates of birth, admitting physicians, medical record numbers, diagnoses and admit dates and times for patients admitted to the hospital or transferred to another facility from December 1, 2013 through May 13, 2014. The hospital alerted law enforcement officials of the incident, according to the press release.
The theft of three desktop computers at Bay Area Pain Medical Associates in Sausalito, California, may have exposed information about 2,780 patients, according to a sample notification letter released by the medical group.
Medical records stored on the desktop computers were encrypted, but the medical center suspects that an Excel® spreadsheet containing patient names and dates of service may have been accessible. Thieves broke into Bay Area Pain Medical Associates May 19. The theft was discovered the following day, at which time the medical center notified law enforcement officials, according to the letter.
HHS frequently stresses the importance of encrypting devices. In April, HHS released a statement that emphasized the need for encryption, citing two OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare.
Although some Bay Area Pain Medical Associates patient names on the computers may have been accessed following the break-in, the medical group stated in its letter that encryption would prevent the unauthorized disclosure of other PHI stored on the devices, including Social Security numbers and dates of birth.
Women & Infants Hospital of Rhode Island agreed to a $150,000 settlement with the Massachusetts Attorney General for a November 2012 breach that affected more than 12,000 Massachusetts patients, according to Boston Business Journal.
The breach began in 2011 when the hospital transferred 19 unencrypted back-up tapes from the hospital’s prenatal diagnostic centers in New Bedford, Massachusetts, and Providence, Rhode Island, to a central data center for its parent company, Care New England Health System. The parent company then sent the tapes off-site for archival. In 2012, Women & Infants Hospital staff discovered that 12 of the tapes were missing. The tapes contained patients’ names, dates of birth, Social Security numbers, exam dates, and ultrasound images, as well as physicians’ names. Approximately 1,800 patients from other states were also affected, Boston Business Journal reported.
The Massachusetts Attorney General’s Office filed a complaint against Women & Infants Hospital of Rhode Island July 2, 2014, alleging that the hospital violated HIPAA by failing to track the back-up tapes and neglecting to notify affected patients of the breach in a timely manner. Under the settlement agreement, the hospital must maintain an inventory of its systems, custodians, and descriptions of unencrypted data and paper charts that contain PHI, Boston Business Journal reported.
In just one week, Rady Children’s Hospital-San Diego uncovered multiple breaches of PHI caused by human error that affected more than 20,000 patients, according to a hospital press release.
The first breach occurred June 6 and affected 14,121 patients admitted to the hospital from July 1, 2012, through June 30, 2013. The breach occurred when a hospital employee accidentally emailed a spreadsheet containing PHI to four job applicants when trying to send a training file to evaluate the applicants. Upon contacting the four applicants, the hospital learned that one forwarded the email and attachment to two additional people. The spreadsheet contained patients’ names, dates of birth, primary diagnoses, admit/discharge dates, and medical record numbers, as well as insurance carrier and claim information, according to the press release.
While performing an internal investigation following the June 6 breach, the hospital learned that a similar breach affecting 6,307 patients occurred in August, November, and December 2012. In this instance, a hospital employee emailed a test file containing PHI to three job applicants. An additional six applicants took the same test at the hospital, but were unable to save, store, or send the data. The test contained patients’ names, discharge dates, location they were seen, payer name, and balance, according to the press release.
A former East Texas hospital employee faces up to 10 years in prison for HIPAA violations, according to a press release from the U.S. Department of Justice.
Joshua Hippler, 30, formerly of Longview, Texas, faces charges for wrongful disclosure of individually identifiable health information. Hippler was accused of obtaining PHI with the intent to use it for personal gain while employed by the hospital in question from December 1, 2012, through January 14, 2013. A grand jury recently indicted Hippler, according to the press release.