- Geisinger Health Plan (GHP) recently announced that it experienced an unauthorized PHI disclosure affecting 2,814 members from 220 employers.
GHP said it learned on August 4, 2016 that a processing error had taken for July 30, 2016 invoices. The error may have led to PHI “being mistakenly mailed to private citizens,” the health plan said in its statement. GHP added that the error has since been fixed.
Member name, date of birth, health insurance premium information, member identification number and smoking status were included on the invoices. Medical treatment or financial information, such as Social Security numbers, were not included, according to GHP.
“We have contacted both the affected members and businesses regarding the processing error and the possibility of a disclosure,” Geisinger Privacy Officer John Gildersleeve said in a statement. “In addition, we have requested that the invoices be returned so they can be properly destroyed in compliance with Geisinger Health System policies and procedures.”
Gildersleeve added that if individuals did not receive a notification letter, then their PHI was not included in this incident.
“We take our responsibility to protect personal information seriously,” he said. “We apologize for any inconvenience and remain dedicated to safeguarding member information.”
PHI breach after binder reported missing
An Oberlin, Kansas facility reported a PHI breach after it was discovered that a CAT scan log binder was not in its typical location.
Decatur Health Systems (DHS) explained in an online statement that the binder was likely taken from DHS between 5pm on July 22, 2016 and 7am on July 25, 2016. The information in the binder held data on 707 patients, and included patient names, dates of birth, dates of exams, diagnoses leading to the CAT scan, ordering providers, and x-ray exposure levels. Social Security numbers were not included.
DHS added that it is working with local and federal law enforcement agencies to retrieve the binder, find who removed it, and determine how the patient information may have been used:
DHS knows the importance of keeping protected health information private and sincerely apologizes to the patients whose names were in the binder. They are working to ensure all patient information contained in other hard copy records and other sources of patient information are secure. They have changed key locks within the facility, conducted audits, and implemented new policies and processes. DHS employees have received additional training on security beyond their annual education and training.
DHS Privacy Officer Erica Fortin said that potentially affected individuals will receive a notification letter. Should patients have further questions they are encouraged to reach out to her.
Calif. doctor reports improper disposal of information
Los Banos, California-based Dr. Pratap Kurra was told on August 9, 2016 that papers related to his practice were found in in a trash container.
Kurra explained in a press release that an investigation revealed that one day prior, “billing tickets used by his practice were accidentally thrown away during his move.” However, all records were retrieved within 24 hours.
“Dr. Kurra was in immediate contact with hospital administrative staff, he discussed this matter with his staff to ensure such an event does not happen again, and he notified the appropriate state and federal agencies about this incident including the California Attorney General and Health and Human Services Department,” the statement explained.
Potentially exposed information includes patient names, procedure type, surgeon, Dr. Kurra's name as the anesthesiologist, hospital, date, and time of procedure, type of anesthesia used, and difficulty of case. However, Social Security numbers, dates of birth, financial information, medical insurance information, patient identification numbers, and contact information were not included in the billing tickets.
While the release did not specify how many patients were potentially affected, it did state that it was limited to patients from December 1, 2011 to April 30, 2016.
Electronic file system accessed by unauthorized party
University Gastroenterology (UGI) in Rhode Island recently announced that some personal information and PHI may have been exposed after an unauthorized party accessed an electronic file system.
UGI discovered on July 11, 2016 that the system was accessed, and that several files were then encrypted. UGI had reportedly acquired the system from Consultants in Gastroenterology in 2014.
“We take the privacy and security of personal information very seriously, have already taken steps to prevent a similar event from occurring in the future, and are making additional security enhancements to protect the privacy and security of patient information,” UGI said in its statement. “This includes deploying an enhanced anti-malware solution to every computer and server within our system, disabling inactive user accounts, and removing the affected servers from our network.”
While patients’ medical records were not included in the files, they may have contained patient names, addresses, dates of birth, Social Security numbers, and medical billing information.
UGI added that it is not aware of any attempted or actual misuse of patient information. Even so, individuals who receive a notification letter are encouraged to enroll in the complimentary identity protection services UGI is offering.