Billing database gaffe begets breach

LSU, Siemens send out notification letters
By Erin McCann
12:00 AM

Siemens Healthcare and Louisiana State University at Shreveport are notifying 8,330 patients of a HIPAA breach following a database mishap that resulted in billing and treatment information being mailed to the wrong patients.
Officials discovered the breach March 18 after LSU began receiving calls from patients saying their bills were incorrect. "After an investigation, it was discovered that an error had occurred in one computer data entry field," a LSU website notice read. "When printing statements, this error caused the names and treatment information for one patient to incorrectly align with another person's mailing address."
LSU Shreveport Spokesperson Sally Croom said a variety of medical treatment data was compromised in the breach, such as complete blood count tests, vaccinations and other medical tests. The letters did not contain Social Security numbers, financial data and dates are birth, Croom confirmed.
Notification letters were mailed to affected patients May 15. LSU Health Shreveport operates three acute care hospitals: the 459-bed LSU Medical Center; Monroe, La.-based EA Conway Medical Center and the Pinevillle, La.-based Huey P. Long Medical Center.
When asked whether Siemens Healthcare or LSU was responsible for the error, Croom said they were unsure. "That's a question that's going to come up (in the future)," she said. "Our focus has been on fixing the problem . . . and that involves safeguards for the database on both our parts," in an emailed statement to Healthcare IT News.
"Patient privacy is very important to us at LSU Health Shreveport, and we will continue to work with Siemens to ensure that the billing process executes correctly and without errors," added Croom.
Siemens Medical Solutions also came under fire in 2010 when it lost seven unencrypted CDs containing the protected health information of more than 130,00 patients via mail.
The state of Louisiana has only reported two other HIPAA breaches involving 500 individuals or more to HHS since the 2009 Breach Notification rule, which could be an indication of underreporting.
This, says OCR's Leon Rodriguez, could easily turn into an enforcement issue with the new HIPAA rules, which were released in January. "We're looking for that high level of sensitivity," he said at the 2012 Privacy and Security Forum. "Failure to conduct activity monitoring was a consistent issue among a broad variety of agencies. So we are looking at that issue."
According to data from HHS, more than 21 million patient records have been compromised in healthcare data breaches since 2009, resulting in $15.3 million in enforcement activity.
What's even more concerning, as Lisa Gallagher, senior director of privacy and security for HIMSS, pointed out at the 2012 Privacy and Security Forum, is that "data breaches involving 499 or fewer are not counted in the HHS final count."
Gallagher estimated that between 40-45 million patient records might have been compromised. The number can't be confirmed, as the data isn't all there, she added, but it's a more accurate number based on healthcare organizations' reporting.
Errors such as the Siemens billing database error are not to be taken lightly, said Washington, D.C.-based attorney and patient privacy advocate James Pyles.
Electronic health information "is accessible from anywhere in the world," he told Healthcare IT News. "Once it's stolen electronically, it can exist forever, and it can exist in an infinite number of places."