June 3, 2018
Several different data breaches, as well as violations of HIPAA Laws, have been found by Dignity Health in the past few weeks. One occurrence implicated a staff member retrieving the PHI of patients without official consent, an error occurred that permitted a business associate to receive PHI without an existing BAA being in place, and most recently, a 55,947-record illegal access/disclosure occurrence has been submitted to the Division of Health and Human Services’ Office for Civil Rights (OCR).
Dignity Health informed OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada on May 10, 2018. The company informed that on April 6, 2018, St Rose Dominican Hospitals announced the PHI of 6,036 clients with an external free-lancer to handle health-related court documents for future hearings.
The freelancer in question had been used for ten years and a legal business associate contract had been in place earlier; nevertheless, that document was no longer useable and data continued to be shared with the free-lancer because of a clerical error. Dignity Health informed that the way in which the PHI was announced didn’t change in any way to when the BAA was current.
The subject has been studied and changed, additional controls have been applied to avoid similar mistakes from occurring in the time to come.
After this, on June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center disclosed it had found that a worker had been retrieving the health information of patients without consent for five months. During that time period, parts of 229 patients’ files were wrongly obtained.
The wrong retrieving of health information was identified during periodic evaluation of PHI access logs. That evaluation demonstrated one staff member had been retrieving patients’ PHI from October 13, 2017 to March 29, 2018. During that time, the files of 229 patients were obtained.
The type of information that might have been obtained by the staff member was limited to names, demographic information, dates of birth, doctors’ and nurses’ notes and diagnostic data. The retrieving of the information seems to have occurred because of curiosity instead of malevolent intent.
Since no Social Security numbers or financial data were obtained, patients have been instructed they don’t need to take any actions to safeguard their identities. Warnings have been sent as a precaution and to meet the requirements of HIPAA.
Dignity Health has disclosed that proper disciplinary action has been taken against the staff member for the violation of hospital rules and HIPAA Laws.
Finally, on May 31, Dignity Health recorded a breach information to OCR that has been described as an illegal access/revelation occurrence involving electronic mail. The breach information demonstrates there was some business associate participation in the data breach occurrence, even though no additional information on the breach has been made public.