Comments (0)

By Dissent, June 18, 2013 3:21 pm

In a statement on their web site linked from their home page as a privacy notice, Ephrata Community Hospital in Pennsylvania writes:

Ephrata Community Hospital takes our obligation to protect our patients’ personal health information seriously. Regrettably, this notice concerns some of that information.

On April 16, 2013, we learned that one of our employees had accessed patient medical records prior to that date. Viewing these medical records was outside the employee’s job duties. We immediately began an investigation and confirmed that the employee viewed some patients’ electronic medical records and may have accessed clinical information. The employee did not access any Social Security numbers or other financial information, and Ephrata terminated the employee.

We have no reason to believe that the information was used in any way, but as a precaution, we began sending letter to affected patients on June 14, 2013. We have also established a dedicated call center for patients to call with any questions. If you believe you are affected but have not received a letter by July 1, 2013, please call 1-888-414-8021, Monday through Friday between 9:00 a.m. and 7:00 p.m. Eastern Time. When prompted, please enter the following 10-digit reference code: 8934061413.

We regret any inconvenience this may cause our patients. To help prevent something like this from happening in the future, we are reinforcing education with all staff regarding the importance of maintaining the confidentiality of our patients’ information and appropriate care-related access to patient records.

The hospital did not respond to emails sent both yesterday and today asking them when the improper access first began, how the hospital discovered or learned of the breach, the department the employee worked in, and the number of patients affected.

Comments (0)

By Dissent, June 14, 2013 7:13 pm

In a press release issued yesterday and posted today, HHS writes:

Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle a U.S. Department of Health and Human Services (HHS) investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The HHS Office for Civil Rights (OCR) opened a compliance review of SRMC following a Los Angeles Times article which indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review indicated that senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.  In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

“When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior,” said OCR Director Leon Rodriguez. “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”

In addition to a $275,000 monetary settlement, a corrective action plan (CAP) requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

The Resolution Agreement can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf

Comments (0)

By Dissent, June 14, 2013 6:01 pm

Associated Press reports:

The Veterans Affairs hospital in Fayetteville says documents containing the personal information of nearly 1,100 veterans were found in a recycling bin two months ago.

The Fayetteville VA Medical Center announced Friday it’s notifying the 1,093 affected veterans whose consultation reports from the optical shop were incorrectly placed in a recycle bin over a three-month period. The documents found April 17 contained patients’ names, Social Security numbers, dates of birth, addresses and prescriptions.

Read more on Enquirer-Herald. There doesn’t seem to be any statement on the center’s web site as of the time of this posting.

Comments (0)

By Dissent, June 12, 2013 3:12 pm

Lucile Packard Children’s Hospital is no stranger to stolen equipment containing PHI.  In January, 2010, they self-reported a breach involving a stolen desktop computer with PHI on 532 patients, and as recently as January, they notified 57,000 patients after a laptop was stolen from a physician’s car.  Now the hospital is notifying patients about another breach involving the theft of hardware with unencrypted PHI. From a statement on their web site:

Lucile Packard Children’s Hospital at Stanford is notifying patients by mail that a password-protected, non-functional laptop computer that could potentially contain limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital sometime between May 2 and May 8, 2013. This incident was reported to Packard Children’s on May 8. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement.

To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised.

What medical information was on the laptop?
The information that could potentially have been on the stolen computer related to operating room schedules, which the employee accessed as part of her work functions through Packard Children’s secure and encrypted electronic systems. The computer was password protected, but some information could have transferred to the laptop, and the laptop was not encrypted. The computer was outdated and damaged, thus on a schedule for collection by information technologists.

The information did not include financial or credit card information, nor did it contain Social Security numbers, insurance numbers or any other marketable information. The information on the operating room schedule that could have transferred to the computer would have been patient names, ages, medical record number, telephone number, scheduled surgical procedure, and name of physicians involved in the procedure over a three-year period beginning in 2009. To date, there is no evidence that any patient data has been accessed by an unauthorized person or otherwise compromised.

How many patients were potentially affected?
Out of an abundance of caution, we are providing outreach to approximately 12,900 patients, and we are assuring they are notified promptly.

When did the notifications begin?
Notifications to federal and state regulators, affected individuals and parents, and the media are under way as of June 11. Due to the law enforcement investigation, such notifications were delayed, as permitted by law, to avoid impeding the investigation.

How are potentially affected individuals being notified?
In addition to the mailed letters, a toll-free phone line has been established to answer questions for those notified. The toll-free number is (855) 683-1168, and is available Monday through Saturday from 6 a.m. to 6 p.m. PST. In addition, potentially affected individuals have been offered the option of free identity protection services.

How is the investigation proceeding?
So far, efforts to recover the computer have been unsuccessful, but the law enforcement investigation is still ongoing.

Lucile Packard Children’s Hospital strives to be an industry leader in the area of medical information security. As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data.

News Release
http://www.lpch.org/aboutus/news/releases/2013/patient-notification.html

Comments (0)

By Dissent, June 12, 2013 2:35 pm

And speaking of outrageous breaches, Elise Viebeck reports:

A top House committee launched another probe of the Internal Revenue Service (IRS) Tuesday after a lawsuit alleged that the agency improperly seized millions of personal medical records in California.

In a letter, Republican leaders on the Energy and Commerce panel asked the IRS to explain how it handles confidential medical information.

“While [federal] privacy rules restrict the ability of a covered entity to release protected health information, those rules appear to impose no restrictions on the IRS’s ability to use such information after it is obtained,” the lawmakers wrote.

Read more on The Hill.

The letter requests a response from the IRS by June 21.