A number of different data breaches and violations of HIPAA Rules have been discovered by Dignity Health in the past few weeks. One incident involved a staff member accessing the PHI of patients without official permission, a mistake occurred that allowed a business associate to receive PHI without a current BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been submittedd to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada on May 10, 2018. The organization reports that on April 6, 2018, St Rose Dominican Hospitals broadcasr the protected health information of 6,036 clients with an external contractor to process health-related court documents for future hearings.
The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake. Dignity Health reports that the way in which the PHI was broadcast did not vary in any way to when the BAA was current.
The matter has been reviewed and amended, extra controls have been implemented to prevent similar errors from happening in the future.
Following this, on June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center revealed it had found that an employee had been accessing the health information of patients without permission for five months. During that time period, portions of 229 patients’ records were inappropriately obtained.
The inappropriate accessing of health information was identified during periodic review of PHI access logs. That review showed one staff member had been accessing patients’ health information from October 13, 2017 to March 29, 2018. During that time, the records of 229 patients were obtained.
The sort of information that could have been obtained by the staff member were restricted to names, dates of birth, demographic information, physicians’ and nurses’ notes and diagnostic data. The accessing of the information appears to have happened due to curiosity rather than malicious intent.
As no financial data or Social Security numbers were obtained, patients have been advised they do not need to take any actions to safeguarded their identities. Alerts have been sent as a precaution and to meet the requirements of HIPAA.
Dignity Health rhas revealed that appropriate disciplinary action has been taken against the staff member for the violation of hospital policies and HIPAA Rules.
Lastly on May 31, Dignity Health filed a breach report to OCR that has been described as an unauthorized access/disclosure incident involving email. The breach report shows there was some business associate involvement in the data breach incident, although no further information on the breach has been made public.