Several Data Breaches Informed by Dignity Health


Dignity Health has found several data breaches and violations of HIPAA Laws in the past few weeks. One occurrence involved a worker retrieving the PHI of patients without approval, a mistake happened that let a business associate get PHI without a valid BAA being in place, and most lately, a 55,947-record illegal access/disclosure occurrence has been informed to the Division of Health and Human Services’ Office for Civil Rights (OCR).

Business Associate Contract Mistake Found

On May 10, 2018, Dignity Health informed OCR of a data breach impacting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health informs that on April 6, 2018, St Rose Dominican Hospitals shared the PHI of 6,036 patients with a third-party freelancer to manage health-related court documents for hearings.

The freelancer had been used for ten years and a legal business associate contract was earlier in place; nevertheless, that document had expired and data carried on to be shared with the freelancer because of a clerical mistake. Dignity Health informs that the way in which the PHI was shared didn’t differ in any manner to when the BAA was in place.

The matter has been resolved and additional controls have been put in place to avoid similar mistakes from happening in the time to come.

Incorrect Retrieving of PHI by St. Joseph’s Hospital and Medical Center Worker

On June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center declared it had found a worker had been retrieving the health information of patients without approval for five months. During that time, parts of 229 patients’ records were wrongly retrieved.

The incorrect retrieving of health information was found during periodic examination of PHI access logs. That examination disclosed one worker had been retrieving patients’ health info from October 13, 2017 to March 29, 2018. During that period, the files of 229 patients were retrieved.

The kinds of information that might have been seen by the worker were limited to names, demographic information, dates of birth, nurses’ and physicians’ notes and diagnostic information. The retrieving of the information seems to have taken place out of curiosity instead of malevolent intention.

As no financial data or Social Security numbers were retrieved, patients have been informed they don’t need to take any actions to safeguard their identities. Notices have been delivered as a safety measure and to satisfy the requirements of HIPAA.

Dignity Health informs that proper disciplinary action has been taken against the worker for the violation of hospital rules and HIPAA Laws.

55,947-Record Email Breach Informed

On May 31, Dignity Health presented a breach report to OCR that has been recorded as an illegal access/disclosure occurrence involving electronic mail.

Dignity Health replied to a request from HIPAA Journal for additional information concerning the breach and verified the occurrence affected Dignity Health and its associates Dignity Health Medical Group Nevada, LLC, and Dignity Health Medical Foundation.

On April 24, 2018, Dignity Health found an electronic mail list formatted by its business associate, Healthgrades, had a mistake that led to electronic mails being misaddressed. Electronic mails were sent to inform patients concerning a new online appointment programming tool.

Although the electronic mail was sent to 55,947 patients, the only information revealed was the patient’s name, and in some instances, the name of that person’s doctor. Each electronic mail was mistakably transmitted to one wrong receiver only.

Steps have now been taken to avoid more occurrences of this type from happening and patients have now been informed about the mistake.