5 Healthcare Compaines Involved in Impermissible Disclosure of PHI

3,100 Patients Records Impermissibly Viewed by Beacon Health System Employee

Beacon Health System (BHS) based in South Bend, IN reported that an employee accessed the health records of 3,117 patients without valid work reason. BHS detected the unauthorized activity on or about January 10, 2023 and launched an investigation to find out the magnitude of the privacy breach.

BHS stated the employee performs tasks associated with patient signups, validation of benefits, and patient placements inside the hospital. Therefore, the employee got security privileges enabling access to clinical notes in medical records, since access to clinical data was sometimes required. The investigation revealed on February 20, 2023 that the employee accessed the medical records even if his/her work duties do not call for it. This happened from November 18, 2018 until February 24, 2023.

The exposed data contained names, birth dates, addresses, Social Security numbers, and clinical documents, for instance, diagnoses, emergency care treatment data, laboratory and diagnostic screening, medical histories, operative and anesthesia records, and ancillary clinical records. BHS sent notification letters to impacted persons and confirmed the termination of the employee from work at BHS.

Impermissible Disclosure of Historical Health Records at California Secretary of State

The California Secretary of State just reported an impermissible disclosure of historic health records. A researcher requested some public records from the California sterilization program. Those considered public records are over 75 years old. However, the researcher received records that include information from 1948 to 1952. The first set of records was received on-site on December 19. The second set of records was received via secure digital transfer on December 22.

The researcher informed the California Secretary of State regarding the problem on December 23, 2022. The disclosure was a result of having wrong data range labels. The researcher stated that the records were not read in detail and were deleted from the computer. The records contained personally identifiable information (PII) for example, patient names, names of family members, birth dates, familial medical records, and medical data like diagnoses, sterilization dates, operation dates, and other medical data. The California Secretary of State reviewed the records and removed the files from the microfilm.

Sensitive Data Breach at Baltimore Occupational Health Service Provider

Occupational Medical Services located in Baltimore, MD reported that boxes of files that contain sensitive patient data were found outside its facility. Occupational Medical Services offers drug and alcohol screening and care in cases of worker compensation. Some members of the public opened the boxes, which contained patient data such as names, contact details, Social Security numbers, and health data.

FOX45 reporters contacted Occupational Medical Services owner Joyce Phillips and learned that the files were from a medical facility that had shut down and was to be collected for shredding and disposal. There were 200 boxes of files that were taken outside the facility for collection. It’s been a day since.

PHI of 3.1 Million Cerebral Platform Users Impermissibly Disclosed Due to Pixel Use

The telehealth firm, Cerebral Inc., has reported that due to the use of pixels and other tracking technology on its website, the personal data and protected health information (PHI) of 3,179,835 patients were impermissibly disclosed. Cerebral is a completely remote telehealth company that gives its patients access to mental health services, which include online treatment, mental health tests, and visits with doctors to treat mental health problems like depression, anxiety, and insomnia. On January 3, 2023, Cerebral stated it found out that pixels and other tracking tools added on its platform had gathered and transmitted sensitive HIPAA-covered data to third parties like Google, Meta (Facebook), TikTok, and others.

Cerebral mentioned in its breach notice that a lot of bricks and mortar healthcare companies, telehealth firms, and other organizations use tracking technologies on their websites. It was advised that such technologies can possibly collect and impermissibly disclose sensitive information to the firms that offered those tracking tools. An investigation into the incident confirmed the installation of the tracking tools on Cerebral’s platforms on October 12, 2019. It was confirmed that PHI was impermissibly disclosed to a number of third parties and certain subcontractors that have not signed any business associate agreement requiring HIPAA-covered entities to comply with policies on the uses and disclosures of any transmitted PHI.

Cerebral stated that it deactivated the pixels and tracking technologies when it discovered the problem and deleted or reconfigured them to stop any more unauthorized sharing of information with third parties or subcontractors that did not satisfy HIPAA standards. Security procedures and technology vetting methods were likewise improved to mitigate the possibility of identical impermissible disclosures down the road.

Cerebral stated it did not know of any misuse of the transmitted information, which could have included a person’s name, telephone number, email address, birth date, Cerebral client ID number, IP address, and other demographic or data if they made a Cerebral account. In case they accomplished or partly accomplished a mental health self-evaluation, data including the service the person picked, evaluation responses, and particular associated health data could likewise have been exposed. In case a subscription plan was bought, the data disclosed could likewise include the type of plan, appointment dates/booking details, treatment and other clinical details, insurance co-pay amounts, and medical insurance/pharmacy benefit details.

Cerebral sent notification letters to all persons who belong to one of those groups, even though they were not Cerebral patients or even though they gave data over and above what was necessary to make a Cerebral account. Cerebral affirmed that credit card details, bank account data, and Social Security numbers were not exposed; nevertheless, as a safety precaution, no-cost credit monitoring services were provided to impacted persons. Cerebral additionally gave details in the notification letters about how to protect privacy against tracking systems, such as blocking/removing cookies, utilizing browsers with privacy functions like an incognito mode, and adding privacy protections in Google accounts and social media.

UC San Diego Health Patient Data Exposed Because of Website Analytics Code

University of California (UC) San Diego Health is the most recent healthcare company to begin informing patients about the impermissible disclosure of some of their PHI to third parties because of website tracking technologies used. UC San Diego Health mentioned that Solv Health, its business associate, installed the analytics code to its scheduling web pages, without UC San Diego Health’s authorization. UC San Diego Health used Solv Health’s website hosting and management solutions.

The analytics code collected some information about visitors who reserved in-person or telehealth consultations using the scheduling web pages. The collected data was then impermissibly exposed to third parties that gave the code. UC San Diego Health didn’t mention in its breach notifications about the third parties except that they obtained first and last names, dates of birth, email addresses, third-party cookies, IP addresses, explanations for the visits, and type of insurance (such as HMO, PPO, Other).

UC San Diego Health stated there was no disclosure of Social Security numbers, financial account numbers, medical record numbers, and debit and credit card details. There was no analytics code installed on its MyUCSDChart or electronic health record systems, thus data in those systems were not disclosed. UC San Diego Health began mailing notification letters to impacted persons on March 20, 2023. Those people used online booking for Express Care (La Jolla) or Emergency Care locations (Eastlake/Chula Vista, Encinitas, Downtown San Diego, Rancho Bernardo, and Pacific Highlands Ranch).

Upon discovery of the analytics code in December 2022, UC San Diego Health instructed Solv Health to quickly take away the code from the scheduling web pages and to find out those impacted. UC San Diego Health is currently using a different online scheduling application and has improved its vendor evaluation and management processes.

UC San Diego Health reported the incident to the HHS’ Office for Civil Rights as well as the local media; nevertheless, the number of persons affected is still uncertain. Updates will be added when available.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA