Federal Agents Investigating Exposure of Patient Data

Healthcare Compliance Perspective:

If a breach of protected health information is alleged, an investigation must be initiated and documented immediately, and if verified, notify affected individuals, appropriate officials, and local new media, as required. A corrective action plan targeting the nature of the breach, remedies and steps to prevent future breaches from occurring again.

A health and hospital system is currently under investigation by the U.S. DHHS – Office for Civil Rights due to a security breach in the hospital’s system that revealed some of the personal health information (PHI) of over 700 patients.

The breach was announced by system authorities in a news release last October. The breach occurred last March, and is attributed to a company that works with the hospital system regarding “patients’ insurance eligibility.” The company did not report the breach to the hospital system until October. The explanation given for how the breach occurred was that during a systems upgrade, the PHI information was mistakenly transmitted to several other healthcare providers.

The breach exposed “names, account numbers, medical record numbers and birthdays.” However, the hospital system maintains that patients’ “addresses, Social Security numbers and clinical information” were not included in the breach.

The Illinois hospital system believes there has been no reported or discovered misuse of the breached information. However, in June another Illinois healthcare provider reported possible PHI exposure of over 600 patients in its system related to the same company.

A spokesman for the company responsible for the breach described the incident as not being a true patient data breach, but rather “an isolated processing error.” They make this assertion because they contend the patient information was transmitted only to healthcare organizations under the federal HIPPA Privacy Rule.