- A Virginia State Senator is under fire after an alleged HIPAA breach led to an investigation into unlawful use of patient information.
An article by the Richmond-Times Dispatch reported Senator Siobhan S. Dunnavant, an Henrico County physician, allegedly violated federal health privacy rules by using patient contact information to send political solicitations to patients during her 2015 campaign.
Dunnavant’s solicitation involved approximately 1,500 emails and 1,500 print letters sent to patients during the spring of her 2015 campaign while she ran in a four-way Republican primary for the 12th District seat.
According to a letter issued by the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Dunnavant’s use of patient contact information and her decision to disclose that information with her campaign managers broke federal HIPAA law.
Two individuals filed complaints regarding the HIPAA violation in the summer of 2015, including conservative blogger Tom White and an unnamed individual who received a letter from Dunnavant during her campaign.
HHS investigators reported that the case is considered closed. Senator Dunnavant will not face any penalties or fines as the civil rights office stated she took swift action to minimize the damage.
“For me, it’s really all about the fact that none of my patients were harmed,” Dunnavant stated in an interview with Richmond-Times Dispatch.
Dunnavant states she regrets including an appeal for political support in a letter allegedly initially intended to notify patients her political activity would not have any impact on their treatment. The senator maintains she ran the letter by her medical practice board and lawyers and they took no issue with it.
The senator claimed during the investigation that she shared patient information with her campaign legally under HIPAA’s Privacy and Security rules due to a clause regarding business associate agreements. Investigators denied the legitimacy of her claim and deemed her actions outside of the realm of what HIPAA allows.
“Dr. Dunnavant’s position that the disclosure and use of (protected health information) to and by the campaign committee was strictly related to treatment or health care operations is not supported by the evidence,” Barbara J. Holland, the mid-Atlantic regional manager for the HHS OCR, wrote in a letter dated Dec. 6. “The letter expressly encouraged patients to participate in campaign activities and invited patients to contact the campaign for additional information.”
While Dunnavant was cooperative with authorities, HHS stated they are willing to take additional action if more complaints or evidence of misconduct surface in the future.
Surgery center and medical spa suffers ransomware attack
The Susan M. Hughes Center recently suffered a ransomware attack on its computer system potentially impacting patients.
On August 30, 2016, the surgery center and medical spa became aware of a ransomware attack on its system and immediately launched an investigation into the incident. In an announcement on the Hughes Center’s website, the organization stated they have reset all passwords, removed the infected server from the system, and transitioned instead to a backup system.
The Hughes Center requested the help of a forensic firm in the investigation and it has since determined an unknown person accessed a server holding files that may have contained patient names, telephone numbers, dates of service, types of service or treatment, and amounts paid.
The organization has no evidence that the accessed patient information has been misused in any way, nor that any sensitive PHI including Social Security numbers or account numbers have been accessed.
As of December 27, 2016, the Hughes Center began mailing advisory letters to potentially impacted patients. Additionally, the organization established a call center to answer any questions patients may have regarding the status of their information.
Another healthcare organization affected by Summit ransomware attack
On October 28, 2016, Summit Reinsurance Services, Inc. alerted Alliant Health Plans, Inc. of a ransomware attack on its servers allegedly initiated on August 8, 2016.
After an investigation, Summit further notified Alliant that an unauthorized individual accessed the server around March 13, 2016.
The server contained patient data related to over 1,000 Alliant members.
Currently, the investigation has not yielded any evidence suggesting misuse of information on the impacted server. Alliant reports its members are at minimal risk of suffering consequences as a result of the incident.
Some of the information included on the affected server include Social Security numbers, health insurance information, and claim-focused medical records.
In an effort to minimize the damage, Summit is updating its policies, procedures and protections for member information, among other precautionary measures to prevent further incident. For its part, Alliant will continue using encryption to prevent foreign access of sensitive information.
To prevent further incident, Summit is also offering potentially impacted Alliant members access to one year of identity theft protection. Affected members will be notified of the incident in written letters.
This is one of several healthcare organizations affected by the initial ransomware attack on Summit has experienced in recent months.