Hope Hospice, located in New Braunfels, Texas, has sent out more than 800 patient notifications after an employee sent out sensitive patient data through unsecured email twice since December 2012.
The employee sent the recent referral and admission activity reports through email on December 27, 2012 and again in February 22, 2013. Hope Hospice says that it learned of the breach on Feb. 25 during a standard security check.
Both the notice and the KGNB news station in Texas refer to the email as “unsecured”, which would likely mean it was unencrypted. The breach potentially compromised patient information such as patient names, referral sources, admission and discharge dates, the names of insurance providers, and chart numbers. But there were no Social Security numbers, dates of birth or addresses included in the emails.
Hope Hospice said it is reviewing its privacy and security policies, though it would be helpful if they alert patients once they’ve reviewed them and explain what went wrong and how it will mitigate those risks in the future. And while the organization doesn’t believe they will incur any financial harm and recommended in the notifications that they create fraud alerts for their bank accounts, it hasn’t offered credit monitoring to those patients yet. Hope Hospice included this notice on its site, shown here on PHIPrivacy.net, though it wasn’t easy to find as the second item down on its news page.
Through a routine internal compliance audit on February 25, 2013, Hope Hospice discovered a potential security breach after finding an employee had emailed a report of recent referral and admission activity to themselves via an unsecured channel on December 27, 2012 and February 22, 2013. The information included in the report was limited to 818 patient names, referral source, referral and admission date, name of insurance company, chart number, county and date of discharge. The information did not include other sensitive personal identification such as social security numbers, dates of birth or addresses. Due to the number of affected individuals and the agency’s policy against using unsecured channels for communicating patient information, each patient or their next of kin is being notified of the occurrence.
The information was secured February 28, 2013 and the Agency does not believe the type of information included presents a risk of financial harm. However, affected individuals are encouraged to contact their financial institutions as well as any one of the three major credit bureaus to place a fraud alert on their account.
In response to this incident, all staff members have received additional training, and the agency is performing a comprehensive review to further refine its policies and procedures related to patient privacy and security. Steps are also underway to further improve the security of the agency’s operations.
The agency has a toll-free number to call us with questions and concerns about your personal information. You may call Debra Houser-Bruchmiller, CEO at 800-499-7501 from 8 AM to 5 PM, Monday through Friday with any questions. In addition, patients may visit the agency’s website at www.hopehospice.net for further information and links to web sites that offer information on what to do if your personal information has been compromised.