Dignity Health Report Several Data Breaches

June 3, 2018


Abundant different data breaches and violations of HIPAA Laws have been found by Dignity Health in the past few weeks. One occurrence involved a staff member retrieving the PHI of patients without authorized approval, a fault took place that let a business associate get PHI without a current BAA being in place, and most lately, a 55,947-record illegal access/disclosure incident has been submitted to the Division of Health and Human Services’ Office for Civil Rights (OCR).

Dignity Health informed OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada on May 10, 2018. The company informs that on April 6, 2018, St Rose Dominican Hospitals broadcast the protected health information of 6,036 customers with an external freelancer to handle health-related court documents for future hearings.

The freelancer in question had been used for ten years and a legal business associate agreement had been in place earlier; nevertheless, that document was no longer legal and data continued to be shared with the freelancer because of a clerical error. Dignity Health states that the way in which the PHI was broadcast didn’t differ in any way to when the BAA was current.

The subject has been studied and altered, additional controls have been applied to avoid similar mistakes from taking place in the time to come.

After this, on June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center disclosed it had found that a worker had been retrieving the PHI of patients without consent for five months. During that time period, parts of 229 patients’ records were improperly acquired.

The improper retrieving of health information was known during a regular review of PHI access logs. That review disclosed one staff member had been retrieving patients’ health information from October 13, 2017 to March 29, 2018. During that period, the files of 229 patients were gotten.

The type of information that might have been gotten by the staff member was limited to names, physicians’ and nurses’ notes, demographic information, dates of birth, and diagnostic data. The retrieving of the information seems to have occurred because of curiosity instead of malevolent intention.

As no Social Security numbers or financial data were gotten, patients have been counseled they don’t require to take any actions to safeguard their individualities. Warnings have been sent as a protection and to meet the requirements of HIPAA.

Dignity Health has disclosed that proper disciplinary action has been taken versus the staff member for the infringement of hospital rules and HIPAA Laws.

Finally, on May 31, Dignity Health recorded a breach report to OCR that has been termed as an illegal disclosure/access occurrence involving electronic mail. The breach report indicates there was some business associate participation in the data breach occurrence, even though no additional information on the breach has been made public.