No covered entity wants to notify patients of a potential PHI security incident, yet even with the appropriate safeguards in place, problems could still occur. When this happens, it is important to properly notify potentially affected individuals and then make the necessary changes in existing safeguards to ensure that the same issue does not occur again.
Two different facilities recently dealt with a variety of health data security issues, which is a perfect example of how organizations need a well-rounded approach to security. Anything from human error to cyber attacks could create potential PHI security issues that will need to be handled in a timely manner.
New York facility notifies 90,000 patients of PHI data breach
A former employee at HHC Jacobi Medical Center in the Bronx reportedly put the PHI of 90,000 patients at risk after she improperly accessed and transmitted files containing PHI to her personal email account. The individual also sent the information to her email account at her new employer, which is a New York City agency, according to a New York City Health and Hospitals Corporation (HHC) statement from April 28.
Potentially exposed information includes patient names, addresses, dates of birth, telephone numbers, medical record numbers, treatment dates and types of services, and limited sensitive health information. HHC said that health insurance identification numbers, which may have included Social Security numbers, were also potentially exposed for some patients.
“The unauthorized disclosure was discovered by HHC’s information governance and security program that, among other things, monitors and detects all email communications that contain PHI and other confidential information that are sent from HHC’s information systems without proper authorization,” the statement read.
HHC added that there is no evidence showing that the data was misused in any way, or that it was viewed or sent to anyone other than the former employee.
“HHC has taken immediate measures to prevent the recurrence of this incident, including the automatic blocking of communications containing PHI and other confidential information from being sent from HHC’s information systems to any site or entity outside of the HHC security network other than for legitimate business purposes,” the organization said.
Immunization records accidentally sent to state registry
Approximately 1,000 patients at the UT Southwestern Medical Center had their immunization records mistakenly sent to a confidential Texas registry, according to The Dallas Morning News. Physicians, health departments and school districts all use the registry.
“UT Southwestern notified us of the issue, and we deleted the records from the ImmTrac system,” department spokeswoman Christine Mann told the news source. “It appears it was an error and the issue has been resolved.”
UTSW said that the issue was due to a computer glitch that occurred during “a routine upgrade to the system,” and that it learned about the records being shared after a patient inquiry on March 6. However, UTSW added that the records were transmitted to the state registry starting January 9.
The facility underlined the point that while the immunization records were mistakenly sent to the state registry, the system is “subject to strict confidentiality requirements” and that all data transmitted is done with “high-strength encryption.”
“We corrected the electronic issue in our system the same day it was discovered,” UTSW spokesman Russell Rian said in a statement, according to the news source. “And we worked diligently…to prevent any future occurrence.”