Potential PHI Disclosure After Employee Works from Home with Hospital Data
The William W. Backus Hospital has sent breach notification letters to 360 individuals alerting them that their Protected Health Information (PHI) may have been viewed by an unauthorized individual.
The information potentially viewed includes patient names, medical record numbers, dates of treatment, and information relating to the diagnoses and treatment provided to patients. The hospital confirmed to patients that no Social Security numbers, financial information or insurance details had been disclosed. Individuals affected by the breach had previously visited the hospital’s emergency room for treatment.
Under the Health Insurance Portability and Accountability Breach Notification Rule, HIPAA-covered entities are obliged to report all breaches of PHI to the Department of Health and Human Services’ Office for Civil Rights (OCR); however since the data breach involved fewer than 500 individuals, the breach notice does not need to be submitted to the OCR until the end of February, 2016. A breach notice only needs to be issued to the media if more than 500 individuals have been affected.
A local resident received a breach notification letter – dated August 20, 2015 – and contacted the Norwich Bulletin regarding he breach. A copy of the notice letter was provided to reporters, in which the patient was informed that the breach occurred when an employee took PHI home on a portable device in order to complete work duties.
However, the hospital says that during the time that the employee had the data, there is a possibility that the information was viewed by someone else, hence the issuing of breach notification letters. Glenn Stadnick, East Region Compliance Office for Hartford Healthcare, said in the letter that action is being taken to mitigate risk and prevent similar incidents from occurring in the future. He also said “We have no indication that your information was used improperly. However, out of an abundance of caution, we wanted to notify you regarding this incident and assure you we take it very seriously.”
The discipline taken against the individual was not disclosed to patients as it is against hospital policy to do so; however, Shawn Mahoney, a spokesperson for the hospital, did point out that taking records home is against hospital policy.
This type of data breach should never have happened, but it is easy to see how an incident of this nature could occur: An employee takes work home and a friend or family member views the data. This appears to be exactly what happened here. The employee took data home, and a person in her house potentially viewed that data.
What is perhaps more worrying that the breach is the fact it took 9 months for it to be discovered. The breach notification letter states PHI was potentially viewed between Aug. 11, 2014 and May 29, 2015. If the breach ended on May 29, 2015, it is not clear why it then took until August 20 to send the letters. Sub-500 record data breaches may not need to be reported to the OCR until the end of the year, but breach victims must still be notified within 60 days of the discovery of a data breach. The breach notice letter did not say when Hartford Health was alerted to the incident.
HIPAA-covered entities should be aware that even small data breaches can lead to big fines. The OCR investigates all data breaches involving more than 500 records; however smaller data breaches can also trigger an investigation if HIPAA Rules have potentially been violated.
In January, 2013, the Hospice of North Idaho was fined $50,000 for the loss of an unencrypted laptop computer containing the data of just 441 patients. The investigation revealed that that company had failed to perform a risk assessment, and did not have policies in place to safeguard the ePHI stored on mobile devices.
