Vendor HIPAA breach puts patient data on Google

Progress notes for cancer patients posted online
By Erin McCann
06:27 AM
A California hospital is notifying some of its patients of a HIPAA breach after their protected health information was viewable on Google and other search engines.
The 267-bed Mercy Medical Center Redding, part of Dignity Health, last week notified 620 of its patients who received cancer care at the Dignity Health Mercy Oncology Center that their protected health information was compromised when online physician progress notes became accessible through search engines. 
As hospital officials pointed out in a Dec. 22 notice, the patient data was accessible through search engines like Google after a third-party vendor had posted a link to their website containing the transcribed physician progress notes. Information compromised included names, dates of birth, diagnoses, medications, current therapy and treatment plans. Social Security numbers were not compromised. Hospital officials discovered the breach Dec. 13. 
"We are doing everything we reasonably can to prevent any similar incident in the future, including continuing to educate staff, physicians and our vendors about the importance of securing medical information," read the notice. "Mercy Medical Center Redding takes the confidentiality of patient information very seriously and we sincerely regret this incident occurred."
This is far from an isolated incident involving patient data winding up on Google. Just this September, a clinical diagnostics lab in Alabama notified more than 7,000 patients that their PHI was accessible through Google after discovering a third-party server had been unsecured for three years. 
To date, nearly 42 million people have had their protected health information compromised in HIPAA privacy and security breaches.