OCR Received Multiple Data Breach Reports by Dignity Health

Dignity Health submitted multiple data breach reports and HIPAA violations to the Department of Health and Human Services’ Office for Civil Rights (OCR). The reports included an unauthorized access to the PHI of patients, access of PHI by a business associate without a valid BAA first and an unauthorized system access compromising the health records of 55,947 patients.

Dignity Health documented that a personnel of its St. Joseph’s Hospital and Medical Center had access to the PHI of 229 patients for the period October 13, 2017 to March 29, 2018 without appropriate permission. The incident was identified while doing a PHI access logs evaluation. The data that was possibly jeopardized included the names of patients, birth dates, information on demographics, patient information and diagnostic information. The exposed information did not include Social Security numbers or financial data, therefore patients weren’t instructed to adopt any action to safeguard their identities. Nonetheless, all patients had been sent notification as a safety measure and to fulfill HIPAA breach notification requirements. Dignity Health likewise executed the appropriate disciplinary action on the staff that broke hospital rules and HIPAA regulations.

Dignity Health submitted to OCR a data breach report that occurred at St. Rose Dominican Hospitals in San Martin, Siena and Rose de Lima campuses in Nevada on May 10, 2018. On April 6, 2018, St. Rose Dominican Hospitals gave access to a third-party service provider the 6,036 patients’ PHI which are required for preparing some health-related court documents for proceedings. Sadly, during this period the service provider’s business associate agreement already expired, yet the sharing of PHI continued. This occurrence had been settled and to avoid an identical issue from occurring once again, the required controls had been put in place.

Dignity Health documented another data breach that occurred on May 31. It concerned an unauthorized access associated with email use. A business associate was likewise somewhat involved, although details of the data breach weren’t sufficient.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA