Coding update makes for HIPAA breach blunder

Colorado state agency notifies some 3K individuals
By Erin McCann
10:56 AM
Share
Letters

A state health agency is mailing out HIPAA breach notification letters after a technical glitch sent out letters containing protected health information to the wrong recipients.

Colorado Department of Health Care Policy and Financing has notified 1,622 households, about 3,000 individuals according to a CBS report, that their protected health information, names, addresses and employment/income data were compromised following a coding error.

Due to "very old code" being in place in the state's information systems, there was an update to the code, said Tauna Lockhart, spokesperson for Colorado Governor's Office of Information Technology, to Healthcare IT News.

"This update revealed a vulnerability," and when the update was made, values started populating form fields that were "not intended or anticipated," she added.

[See also: Report: Healthcare state of security a mixed bag.]

Breach notification letters were mailed to affected recipients between May 25 and July 5, 2015. The "technical error" was fixed by OIT July 5.

"The department and its partners take the privacy of our members' information very seriously and is notifying those impacted by this breach," said Susan E. Birch, executive director at Colorado's Dept. of Health Care Policy and Financing. "The department in partnership with its vendors, has taken additional steps to prevent future errors."

According to Verizon's 2015 Data Breach Investigation Report, miscellaneous errors account for a substantial 19 percent of all data security incidents in the healthcare industry. These are the cases of human error, and there's a serious problem in healthcare. The lion's share of these miscellaneous errors were caused by mis-delivery, 37 percent, in fact, which is when data is delivered to the incorrect recipients.

And how does an organization prevent something like this from happening? It's pretty basic, according to recommendations underlined in the Verizon report. Before you do something like a mass mailing, "put in place simple sampling processes to ensure envelope addresses and contents match."

This is hardly an isolated incident of individuals receiving the protected health data and personal information of other individuals. There's been numerous cases of vendors and healthcare providers accidentally posting patient data online or failing to update software. 

It's nothing to put on the back burner. Just last spring, New York-Presbyterian Hospital together with Columbia University Medical Center settled a record HIPAA violation case, agreeing to hand over a whopping $4.8 million after PHI of nearly 7,000 patients wound up on Google back in 2010.

The breach was discovered by an individual who saw the ePHI of their deceased partner, a former patient of the hospital, online.