Hope Community Resources (HCR) of Alaska accidently exposed 3,700 disabled patients’ protected health information (PHI) in an email Monday night. The Alaska Department of Health and Social Services (DHSS) said it is investigating the breach.
The email, according to the Alaska Dispatch, was a survey sent to support an accreditation campaign that Hope needs by 2015 to continue receiving Alaska state funding and mistakenly had the PHI attached as well. If the Department of Health and Human Services (HHS) lays down a heavy fine (up to $1.5 million), the organization’s funding may be affected dramatically. Ironically, one of the questions asked clients how happy they were with Hope’s patient data protections. Some of those state workers and others who assist the disabled were among those who saw the PHI, which included names, dates of birth, guardians and parents, addresses and other data, in the email.
Hope is reviewing how the PHI was attached to the survey in the first place and had attempted to recall the email before it was sent out, but recipients had already seen it and were asked to delete it. “We plan to notify everyone involved and will be sending out an apology letter to everyone who had their personal information disclosed in the attachment,” said HCR chief of staff Tonya Rambow to the Dispatch.
A breach such as this one needs to be watched even more closely than others because some of the disabled patients may not be able to ensure their identities are protected. How DHSS reacts to the breach will be interesting after it was fined $1.7 million by HHS last June after unencrypted PHI on a USB stick was stolen from an employee’s car.