More than 5,300 of QuadMed had PHI Impermissibly Disclosed

by | Mar 15, 2018

Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services QuadMed has discovered that PHI 5,305 clients may have been impermissibly disclosed to certain members of staff.

In November 2013, QuadMed took over management of an onsite clinic at Hillenbrand Inc. Occupational health information of staff members at the Batesville, IN-based manufacturer was stored in an electronic medical record system and access to the system was shared with QuadMed.

Certain QuadMed staff members required access to the data for the administration of occupational health matters. Take overs of health centers at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related data in EMRs shared with the firm and made accessible to some of its staff members.

On December 26, 2017, QuadMed found a technical issue affected the PHI saved in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which permitted its employees to view more than the minimum necessary amount of PHI than was allowed. Staff members had access to more sata than was necessary since May 9, 2016.

A similar breach impacted the Whirlpool clinic, which QuadMed took over in January 2017. In that instance, the EMR system should have had morel administrative and technical controls applied that would allow QuadMed to safeguard the privacy of health data; however, the controls had not been fully adapted. QuadMed discovered the potential problem in February 2017 leading to an investigation, although it took until October 2017 for QuadMed to be allocated the level of system access necessary to look into this issue.

At all three centers, the types of protected health information that could possibly have been accessed included patients’ names, onsite clinic service dates, test and evaluation outcomes, diagnoses, medical histories, data  on examinations and physicals, vaccinations, travel medicine prescriptions, and workers’ compensation information.

QuadMed reports that the technical problem has now been amended and new controls have been put in place to ensure protected health information remains confidential and can only be accessed by authorized people. Additional employee training has also been provided on the requirements of HIPAA with respect to protecting health data.

All people whose PHI was possibly accessed without authorization have now been made aware of the privacy breach by mail. The unauthorized access/disclosures have been submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) as two separate breaches affecting 2,471 and 2,834 people.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy