Employee gaffe causes 2 data breaches

20K get breach notification letters
By Erin McCann
10:07 AM

More than 20,000 patients seen at a San Diego hospital are getting HIPAA breach notification letters after employees on two separate occasions emailed protected health information to job applicants by mistake. One incident occurred nearly two years ago, with patients just being notified now. 

Rady Children's Hospital discovered June 6 an employee had emailed a spreadsheet containing PHI of 14,121 to four job applicants. The employee, who had authorized access to the data, had meant to send a training file to evaluate the applicants, but instead attached actual patient information by mistake, according to Rady officials. 

The data compromised included patients' names; dates of birth; medical diagnoses; admit and discharge dates; medical record numbers; and other information including insurance carrier and claims information.

[See also: What scares security officers the most.][See also: Hacker calls health security 'Wild West'.]

Rady Children's learned of this incident June 10 and subsequently contacted the four individuals who received the emails. It was discovered that the email was forwarded to an additional two individuals. Out of the six recipients, four were able to open the file.

"Our first priority has been to confirm that each of the recipients deleted the email and the attachment from their computer and/or external devices. Each recipient in this first case confirmed in writing they have removed the email and attachment," read a hospital notice. The hospital has reportedly hired an outside security firm to verify the files have been deleted from the job applicants' devices.

In a separate incidence, Rady officials discovered another data breach that occurred for three months back in 2012 in a similar instance after an employee emailed a training exercise, containing patient data of 6,307 patients to three job candidates. An additional six job applicants came to the Rady Children's campus to take the test on a Rady Children's computer, but had no ability to save, store or send the data.

Rady officials have not yet responded to requests as to whether the same employee was responsible for both breaches. 

[See also: Groups hit with record $4.8M HIPAA fine.]

Information included patients' names, discharge dates, location they were seen, and account information such as the payer name and balance. 

"We are making every effort to contact the three recipients of the email to confirm that the email and file have been destroyed," officials said. 

According to a Rady press release, the hospital in the future will be using commercially available and validated testing programs to evaluate job applicants. Officials indicated they will be implementing an automated flagging of emails that may contain protected health information that will subsequently require an additional level of approval before the email can be sent. 

Folks at the 38-hospital Kaiser Permanente have recently rolled out a similar popup warning platform whenever PHI might be sent, which has resulted in a 90 percent drop in those types of emails going out, said Kaiser's chief security officer and chief technology risk officer Jim Doggett at the HIMSS Media/Healthcare IT News Privacy and Security Forum this week. 

"We extend our sincerest apologies to the affected families and to our community," read the hospital notice.