Impermissible Disclosures of PHI Affected 1,600 Ohio Patients

993 beneficiaries of Medicaid or have obtained services from the Ohio Department of Job and Family Services (ODJFS) living in Ohio received notification that unauthorized persons potentially viewed some of their protected health information (PHI) due to a computer error. Three particular incidents were identified.

On February 16, 2019, the first computer error made the sensitive data of 250 users of the Ohio Benefits Self-Service Portal appear in another user’s account. The error was discovered and fixed on the same day.

On March 20, 2019, another computer error affected 100 individuals when the information they entered into the Ohio Benefits website was saved to another user’s account. The IT team made temporary fixes to the computer error, however, they are still working on a permanent solution. Another consequence of the computer error that happened on March 20 was the mailing to 5 different individuals of documents that contain the PHI of 34 Medicaid benefits recipients, 608 members of ODJFS and one person getting the two benefits. This issue was fixed on March 22, 2019.

In all cases, the error involved information saved in the Ohio Benefits System including names, birth dates, claim numbers and case numbers. One year free identity theft protection services were given to affected individuals as a safety precaution.

University Hospitals Rainbow Babies & Children’s Hospital located in Cleveland, OH likewise had a breach involving unauthorized disclosure of information. On February 29, 2019, an employee sent an email by mistake to 840 patients. Though the email did not mention any specific information, the message seemed to imply that all email recipients had the same health ailment.

The BCC field of the email should have been used when adding the email recipients, but the employee used the ‘to’ field instead. Therefore, the email address of the 840 patients were visible to all email recipients.

The hospital sent notifications to all individuals that the privacy breach affected and sanctioned the hospital employee. The employee underwent retraining on patient privacy and correct email procedures. All other hospital employees will also receive retraining on HIPAA requirements.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at