- The Monroeville, Pa. 911 dispatch center is reportedly under investigation by the U.S. Department of Health and Human Services (HHS) due to an August 2012 HIPAA violation. In addition to a complaint that the center emailed protected health information (PHI) to a former police chief, patient data was exposed to non-authorized Monroeville employees.
The Pittsburgh Post-Gazette reports that one of the center’s databases had generic user names and passwords that allowed unauthorized users from five fire stations to easily access patient medical records from late 2011 to August 2012 with relative anonymity. (Monroeville police department and dispatch center apparently now only have access to the data.) The compromised information depended on the emergency call type, but may have included names, driver’s license numbers, birth dates and medical histories.
While Monroeville says that it will hire privacy and security professionals to help handle the investigation, the breadth of potentially-affected patients is alarming. The breach goes further than just former Monroeville police Chief George Polnar receiving patient data.
“Anyone who has called the police, called the fire department, used our [emergency medical service]” or was transferred to or from a Monroeville hospital could be affected by the breach, Monroeville manager Lynette McKinney said to the Post-Gazette.
An Office for Civil Rights (OCR) letter obtained by the Pittsburgh Post-Gazette stipulates that the Monroeville 911 dispatch center has 30 days from when the letter was sent on March 21 to conduct the investigation. The OCR requested documentation of any internal investigations of the allegations, steps taken to address the matter and Monroeville’s privacy policies to help determine whether it violated HIPAA privacy, breach notification and security rules. If the center doesn’t go along with the investigation or there was “willful neglect”, it could take as much as a $1.5 million hit.