More than 5,300 of QuadMed had PHI Impermissibly Exposed

March 17, 2018


Wisconsin-situated supplier of medical, pharmacy, laboratory, fitness, and physical therapy facilities QuadMed has found that PHI of 5,305 clients might have been impermissibly revealed to some members of the workforce.

In November 2013, QuadMed took over the administration of an onsite health center at Hillenbrand Inc. Occupational health information of workforce members at the Batesville, IN-situated producer was saved in an electronic medical record method and access to the system was shared with QuadMed.

Some QuadMed staff members needed access to the data for the management of occupational health affairs. Takeovers of health centers at WI-situated Stoughton Trailers and Whirlpool Company’s Clyde, OH plant also saw professional health-related information in EMRs shared with the company and made accessible to a few of its staff members.

On December 26, 2017, QuadMed noticed a technical problem impacted the PHI saved in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its workers to see more than the minimum required amount of PHI than was permitted. Staff members had access to more data than was required since May 9, 2016.

A similar breach affected the Whirlpool clinic, which QuadMed took over in January 2017. In that case, the EMR system should have had more technical and administrative controls applied that would let QuadMed protect the secrecy of health data; nevertheless, the controls had not been completely modified. QuadMed found the likely problem in February 2017 resulting in an inquiry, even though it took until October 2017 for QuadMed to be allotted the level of system access needed to look into this problem.

At all three centers, the kinds of PHI that might possibly have been retrieved contained patients’ names, travel medicine prescriptions, vaccinations, data on examinations and physicals, medical histories, diagnoses, test and evaluation outcomes, onsite clinic service dates, and workers’ compensation information.

QuadMed informs that the technical problem has now been corrected and new controls have been put in place to make sure PHI remains secret and can only be retrieved by certified people. Additional worker teaching has also been provided on the requirements of HIPAA with respect to safeguarding health data.

All people whose PHI was probably retrieved without permission have now been made conscious of the secrecy breach by post. The illegal access/disclosures have been submitted to the Division of Health and Human Services’ OCR as two separate breaches impacting 2,471 and 2,834 people.