Children’s National Health System announced that a Business Associate, Ascend Healthcare System Medical, may have allowed access to transcribed reports by way of Google.

In a recent press release, Children’s National Health System notified patients that one of their Business Associates may have allowed access to patient records over the Internet. Between May 1, 2014, and June 23, 2014, Ascend Healthcare Systems provided medical transcription services to Children’s National. After this brief period of service, Children’s National moved to another service provider.

A requirement of the service agreement between the two organizations required that Ascend would destroy all the records after ending the contract. Ascend did not follow this aspect of the service agreement. Additionally, on February 25, 2016, Children’s National became aware that Ascend had misconfigured a file site that contained patient information. The misconfiguration allowed the patient records to be found by search engines, such as Google.

Consequently, this may have led to access of as many as 4,107 Children’s National patient records between February 19, 2016, and February 25, 2016.

Children’s National does not believe that this is a significant security risk for patients. The information in question did not contain any billing information or Social Security numbers. Children’s National will not be providing fraud protection services for the patients.

This incident shows why Covered Entities must ensure that their Business Associates are HIPAA compliant. Now, Children’s National is notifying patients of a potential breach, possibly affecting the patients’ trust. This could potentially damage the reputation of Children’s National and affect the health care organization monetarily if patients decide to take their care elsewhere.

Help ensure your Business Associates are HIPAA compliant. Send them to HIPAAgps and require that they keep you informed on their risk assessment results and organization practices.