Children’s Mercy Hospital notified more than 5,000 patients about a breach of protected health information (PHI) after privileged misuse was discovered.
Children’s Mercy sent a letter on May 19 to more than 5,000 patients outlining a breach that was discovered back in March at the hospital in Texas. The Information Security Department discovered an unauthorized website created by a physician as an educational resource that contained patient information. According to the letter, the exposed patient information included names, medical record numbers, dates of birth, visit dates, coding information and some visit notes. The information did not include social security numbers, phone numbers, addresses, account information or photographs.
The physician who created the site believed that because it was password protected, the information was not accessible to prying eyes. However, the Information Security Department decided the security measures did not meet their minimum requirements and the website was removed. The website was not owned by Children’s Mercy and was not hosted on their network. Additionally, storing patient information in this way violates their policies.
Children’s Mercy is providing 12 months of identity theft protection services. Additionally, they have a hotline where patients can call in to get more information. Children’s Mercy also stated in the letter that re-education and re-training will be provided to staff for HIPAA compliance purposes.
This is a great example of why HIPAA compliance training must be conducted frequently and be provided to all employees who may have access to PHI. Many people don’t realize how easy it is to be noncompliant and to experience a breach. Using examples like this during training will help reduce the likelihood of experiencing such a breach.
Most people don’t willfully neglect HIPAA compliance or deliberately share information they shouldn’t. Many breaches occur from misjudgments and misunderstanding what all HIPAA compliance requires.
Start using HIPAAgps today to provide better HIPAA compliance training to your employees and help your company prevent costly breaches.