Staff blunder leads to HIPAA breach
'Some of it is a real education issue.'
A Pennsylvania-based hospital is notifying nearly 2,000 patients of a HIPAA breach after an employee accessed and transmitted patients' protected health data outside of the hospital's secure information network.
After conducting an internal investigation, the 551-bed Penn State Milton S. Hershey hospital on Friday notified 1,801 patients that their names, medical records numbers, medical lab tests and results and visits dates could have been accessed by an unauthorized person or entity due to an employee mistake, according to a hospital notice.
[See also: Groups hit with record $4.8M HIPAA fine.]
Officials discovered a Penn State Hershey clinical laboratory technician, who was authorized to work with protected health information, accessed patient data via an unsecure USB device through his home network rather than the hospital network. Moreover, he also transmitted patient data via his personal email to two Penn State physicians.
The breach was discovered by hospital officials on April 11.
"Penn State Hershey considers patient privacy and confidentiality to be of the utmost importance and chose to notify patients of this incident out of an abundance of caution," read a June 6 public notice. "To decrease the likelihood of similar circumstances occurring in the future, Penn State Hershey is increasing education efforts with employees, focusing on the essential responsibility of all staff to safeguard patient health information at all times and follow proper practices for doing so."
This is the first large HIPAA breach Penn State Hershey has reported to the Department of Health and Human Services.
[See also: Security: healthcare's fixer-upper.]
As Mayo Clinic's Mark Parkulo pointed out in an interview with Healthcare IT News late last month, employee education proves one of the most important pieces to doing patient privacy right. "Some of it is a real education issue," Parkulo, who is the vice chair of Mayo's Meaningful Use Coordinating Group, noted. "A number of providers and other people don't understand that typical unencrypted email; you're not even sure exactly what locations it's going to, whether it could be intercepted or not."
Because of that, in addition to the standard education for employee orientation, Mayo tries to get out to employees multiple times per year for education sessions, whether that be through grand rounds, via online, email or even via the CEO.
To date, more than 31.6 million people have had their protected health information compromised in a HIPAA privacy or security breach -- only in breaches involving 500 individuals or more -- according to data from HHS.
The Office for Civil Rights, the HHS division responsible for investigating HIPAA breaches, has levied more than $25.1 million in fines against covered entities and business associates found to have violated privacy and security rules.