The protected health information of 1,071 patients who received medical services at the Des Moines Crisis Observation Center was “accidentally and unknowingly disseminated” for a period of three and a half years. The Crisis Observation Center is operated by Polk County Health Services and provides the residents of Polk County, IA with mental health services. Polk County Health Services is the regional administrator and the county’s governing board for mental health and disability services.
Polk County Health Services discovered the breach on February 14, 2018. However, the disclosure of information first began on June 1, 2014 and continued until January 11, 2018. The following information was disclosed: patients’ names, Social Security numbers, Medicaid ID numbers, home addresses, admission dates and discharge locations.
Polk County Health Services knew exactly to whom the information was disclosed and what types of information were received by the identified individuals. The official website of Polk County Health Services published a substitute breach notice, but it did not explain why and how the impermissible disclosure of PHI happened.
The health center took steps to stop further disclosure and dissemination of personal information or PHI. Training on patient privacy was provided to the staff. Additional computer security protection and protocols were implemented to stop unauthorized access and disclosure of PHI.
Though there were no reports received that suggest the misuse of patients’ PHI, all patients whose information was compromised were provided free credit monitoring services for one year as a safety precaution. All patients impacted by the breach were sent notifications in April. The Department of Health and Human Services’ Office for Civil Rights also received the breach incident report.