Dignity Health Report Multiple Data Breaches

by | Jun 1, 2018

A number of different data breaches and violations of HIPAA Rules have been discovered by Dignity Health in the past few weeks. One incident involved a staff member accessing the PHI of patients without official permission, a mistake occurred that allowed a business associate to receive PHI without a current BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been submittedd to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada on May 10, 2018. The organization reports that on April 6, 2018, St Rose Dominican Hospitals broadcasr the protected health information of 6,036 clients with an external contractor to process health-related court documents for future hearings.

The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake. Dignity Health reports that the way in which the PHI was broadcast did not vary in any way to when the BAA was current.

The matter has been reviewed and amended, extra controls have been implemented to prevent similar errors from happening in the future.

Following this, on June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center revealed it had found that an employee had been accessing the health information of patients without permission for five months. During that time period, portions of 229 patients’ records were inappropriately obtained.

The inappropriate accessing of health information was identified during periodic review of PHI access logs. That review showed one staff member had been accessing patients’ health information from October 13, 2017 to March 29, 2018. During that time, the records of 229 patients were obtained.

The sort of information that could have been obtained by the staff member were restricted to names, dates of birth, demographic information, physicians’ and nurses’ notes and diagnostic data. The accessing of the information appears to have happened due to curiosity rather than malicious intent.

As no financial data or Social Security numbers were obtained, patients have been advised they do not need to take any actions to safeguarded their identities. Alerts have been sent as a precaution and to meet the requirements of HIPAA.

Dignity Health rhas revealed that appropriate disciplinary action has been taken against the staff member for the violation of hospital policies and HIPAA Rules.

Lastly on May 31, Dignity Health filed a breach report to OCR that has been described as an unauthorized access/disclosure incident involving email. The breach report shows there was some business associate involvement in the data breach incident, although no further information on the breach has been made public.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy