On May 10, 2018, Dignity Health made OCR aware of a data breach impacting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health reports that on April 6, 2018, St Rose Dominican Hospitals sent the protected health information of 6,036 patients with a third-party contractor to process health-related court documents for investigations.
The contractor had been utilized for ten years and a valid business associate agreement was previously signed; however, that document had expired and data was still shared with the contractor due to a clerical error. Dignity Health said that the manner in which the PHI was shared was no different to when the BAA was in place.
The matter has been addressed and further controls have been put in place to stop similar errors from occurring in the future.
St. Joseph’s Hospital and Medical Center Employee Reports PHI Breach
On June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center revealed it had discovered an employee had been accessing the health information of patients without authorization for five months. During that period, portions of 229 patients’ records were inappropriately obtained.
The inappropriate accessing of health information was noticed during periodic review of PHI access logs. That review showed one employee had been accessing patients’ health information from October 13, 2017 to March 29, 2018. During that time, the records of 229 patients were seen.
The sorts of information that could have been seen by the employee were restricted to names, dates of birth, demographic information, physicians’ and nurses’ comments and diagnostic data. The accessing of the information seems to have taken place out of curiosity rather than malicious intent.
Since no financial details or Social Security numbers were obtained, patients have been advised they do not need to take any steps to protect their identities. Notifications have been issued as a precaution and to meet the requirements of HIPAA.
Dignity Health reports that corrective disciplinary action has been taken against the employee for the violation of hospital policies and HIPAA Rules.