QuadMed, a medical, fitness, physical therapy, laboratory and pharmacy services provider based in Wisconsin, sent notification letters by mail to 9,854 patients informing them that their PHI was potentially viewed without authorization during a privacy breach. The breach was already reported to the Department of Health and Human Service’s Office for Civil Rights as three separate incidents. Two incidents, which impacted 2,471 and 2,834 persons, were reported on February 26. The third incident, which impacted 4,549 persons, was reported on January 29, 2018.
To understand how this privacy breach came about, here’s a brief background story. When QuadMed took over one onsite clinic from Hillenbrand Inc, it used an electronic medical record system that is shared with Indiana-based Batesville for storing the occupational health information of employees. When QuadMed took over other clinics at Stoughton Trailers in Wisconsin and Whirlpool Corporation’s Clyde OH plant, it also used an EMR system shared with the firm. With this EMRs set-up, some QuadMed employees that needed to access data for the purpose of administering occupational health matters were able to access more data than what is necessary.
QuadMed only discovered the problem on December 26, 2017. There was a technical issue in the Hillenbrand and Stoughton Trailers clinics’ EMRs. Employees accessing the system were able to view the stored PHI that they were not supposed to access. This configuration error and impermissible viewing of PHI persisted starting from May 9, 2016.
A privacy breach of the same nature happened at the Whirlpool clinic, which was only took over by QuadMed in January 2017. The EMR system should have been fixed by then with the application of administrative and technical controls to protect PHI privacy. However, the problem was the delay in implementing the necessary controls. QuadMed found out the potential problem on February 2017 and prompted an investigation. Yet it took a while before the investigators were given the level of system access required to fully investigate the matter. The investigation just started rolling on October 2017.
In the three instances of privacy breach, the following PHI could have been potentially accessed: patients’ names, date of onsite clinic service, medical histories, vaccinations, tests and evaluation results, diagnosis, travel medicine prescription and workers’ compensation data.
QuadMed already made an announcement that they had corrected the technical issue. Access controls were already put in place to safeguard PHI and ensure only authorized persons can access it. Employees of QuadMed also received extra training to clarify the HIPAA requirements of protecting PHI.