PHI Breach at Illinois Health System Due to Billing Error

Over 1,700 patients’ protected health information (PHI) was breached when their billing statements were mailed in error to one patient. The billing statements, however, never reached the erroneous address.

The billing statements were mailed out on July 29, 2021, but the error was not discovered until October 29, 2021. The statements included patient names, the provider visited, account numbers, and types and dates of the healthcare services that the patients received. The Office for Civil Rights (OCR) data breach portal reported that this incident impacted a total of 1,729 individuals. The Illinois based health system includes 26 hospitals and over 500 care sites in Illinois and Wisconsin. 

A health system representative said that the error was caused by an accidental and unnoticed change to an account type in the health system’s billing software.

The health system personnel are unaware of any misuse of the PHI, but will be taking steps to improve their internal process and security measures. All patients who were affected by the PHI breach have been notified and have been offered free credit monitoring.

Issue:

All healthcare workers must understand HIPAA and how to secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information is properly protected. Software errors and employee negligence are serious risks to patient privacy and security. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA requirements, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.

Discussion Points:

  • Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted .
  • Train all staff on HIPAA, PHI, and Privacy minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
  • Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed by all staff, and that each person demonstrates understanding and competency.