OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System

Note: coverage of the breaches referenced below can be found on this stie by searching it for “Jackson Health System.”  The following is a press release from the U.S. Department of Health Office for Civil RIghts: The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016. JHS is a nonprofit academic medical system based in Miami, Florida, which operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics. JHS provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals. On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the protected health information (PHI) of 756 patients in January 2013. JHS’s internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016. In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job-related purpose. On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011. OCR’s investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties. JHS waived its right to a hearing and did not contest the findings in OCR’s Notice of Proposed Determination. Accordingly, OCR issued a Notice of Final Determination and JHS has paid the full civil money penalty. “OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.” The Notice of Proposed Determination and Notice of Final Determination may be found at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html.

Jackson Health System notifies 1,407 patients of missing records

Statement from Jackson Health System in Florida: Jackson Health System has conducted an internal investigation regarding several boxes of medical records that are unaccounted for and/or are missing from Jackson Health System Health Information Management (HIM) department. Those 1,407 patients whose personal information was accessed have been notified and offered free credit card fraud protection. However, there was no breach of the most sensitive information, such as Social Security numbers, credit card numbers or financial statements. After learning of this breach, a cross-departmental team performed a review and instituted a corrective action plan that includes additional training and the installation of security cameras throughout the HIM areas. The safety and security of all Jackson Health System patients is a top priority. Any allegations about a breach in security and privacy are taken extremely seriously. Jackson is committed to patient confidentiality and strictly adheres to all federal and state patient privacy laws. In order to protect our patients’ rights and private information, we enforce strict rules for those who handle patient information and continually educate all employees on privacy regulations. In its coverage of this incident, the South Florida Business Journal reports that the breach was discovered by an internal investigation, but that’s not clear from Jackson’s statement. The Miami Herald reports that the boxes have been missing since January and that the records, which might include diagnoses, surgical procedures, and other healthcare data, were either on their way to be scanned electronically or returning from the process. Their coverage also includes some details of the corrective action plan.

US charges 104 in Florida in latest ID theft-fraud roundup

AP reports: Federal authorities have charged 104 people with numerous identity theft and fraud offenses in the latest South Florida crackdown on a rampant problem involving tens of thousands of stolen personal identities. […] In one of the largest cases, an employee at Miami’s Jackson Health System is accused of stealing identities from 24,000 people using hospital computer databases. Court documents show Evelina Sophia Reid, 35, is charged in a 14-count indictment for an alleged scheme that ran over five years. No attorney is listed for Reid in court documents. Read more on Argus Press.

Fired after NFL player’s medical chart leaked to ESPN, worker sues

There’s an update to the case involving the breach of Jason Pierre-Paul’s medical information. Daniel Chang reports: A secretary fired from Jackson Health System on grounds she breached the privacy of New York Giants’ player Jason Pierre-Paul’s medical records has sued Miami-Dade’s public hospital network, denying she accessed the private information and saying her former employer defamed and libeled her. […] In a recent response to the suit, however, Jackson Health stood by its firing of the secretary and a second employee, Immacula Richmond, a clinical staff nurse in the operating room, for inappropriately accessing Pierre-Paul’s health record in violation of federal patient privacy laws. Richmond is not a party to the lawsuit. Read more on the Miami Herald. And then tell me how/why a secretary had access to that information at all?

Jackson Health: ‘Rogue’ employee suspected of stealing private patient information

Daniel Chang reports: A ‘rogue’ employee at Miami-Dade’s public hospital network, Jackson Health System, was placed on administrative leave for suspicion of stealing reams of private patient information over the last five years in a scheme that may have compromised more than 24,000 records, according to hospital officials. Evelina Reid, a hospital unit secretary and Jackson Health employee since 2005, has been placed on administrative leave and stripped of her access to all facilities and records, CEO Carlos Migoya reported on Tuesday in a memo to Miami-Dade commissioners and the hospital system’s board of trustees. Read more on The Miami Herald. I’m surprised that the employee was named publicly, but now it’s out there in public. JHS issued the following media statement yesterday: Miami, FL – ‘Jackson Health System has launched a full investigation and is cooperating with law enforcement agencies regarding a rogue hospital employee who may have stolen confidential patient information including names, birthdates, social security numbers, and home addresses over the last five years. The employee was placed on administrative leave pending termination proceedings, and all of her access to Jackson systems, facilities, and patient information was immediately revoked. Jackson Health System is committed to patient confidentiality. The safety and security of our patients is top priority. In order to protect our patients’ rights and private information, we enforce strict rules for those who handle patient information. We are already in the process of acquiring and implementing a more robust security system to monitor access to patient records. Any allegations about a breach in security and patient privacy are taken extremely seriously. Jackson Health System continually educates all employees on privacy rules and regulations and has zero tolerance for violations. Those patients whose personal information was accessed will be notified and offered free credit monitoring. Patients seeking additional information about this breach should email [email protected]

Jackson Health: Investigation into NFL player’s leaked patient records ‘ongoing’

Daniel Chang reports: More than two months after the chief executive of Jackson Health System promised an “aggressive internal investigation” into the unauthorized release of the medical chart for New York Giants pass rusher Jason Pierre-Paul — a possible violation of federal privacy laws — hospital officials have yet to explain how the breach occurred, who was responsible for the leak or what they are doing to prevent such incidents in the future. Read more on Miami Herald.

Hospital investigating leak of Jason Pierre-Paul’s medical information

More on a privacy breach previously noted on this blog. Henry McKenna reports: The hospital treating Giants defensive end Jason Pierre-Paul has begun searching for the cause of a data breach, which allowed ESPN reporter Adam Schefter to share Pierre-Paul’s medical records on Twitter on Wednesday. The documents showed Pierre-Paul was scheduled for a right index finger amputation after a fireworks accident on the Fourth of July. “Late Wednesday, media reports surfaced purportedly showing a Jackson Memorial Hospital patient’s protected health information, suggesting it was leaked by an employee,” Jackson Health System CEO Carlos Migoya told WPTZ.com. “An aggressive internal investigation looking into these allegations is underway. If these allegations prove to be true, I know the entire Jackson family will share my anguish. Read more on Boston.com. I’ve read a lot of stupid comments about the matter on Twitter. You can eliminate a lot of them if you just ignore any tweet that screams about “HIPPA” violation. If they don’t know it’s “HIPAA” and not “HIPPA,” there’s a good chance they don’t know much about what the law says, either. But let’s make a few things clear: The media is not bound by HIPAA. If they get something, they can generally use it – unless they participated in a crime to get it.  If an employee just gave the medical record to the reporter without the reporter telling the employee how to breach HIPAA or facilitating any breach of HIPAA, then there’s nothing – other than poor taste and their own ethical standards for journalism – that stops the paper from using it. Can Pierre-Paul sue the paper and/or the hospital for a HIPAA breach? Probably not successfully. HIPAA does not provide for a private cause of action, although Florida law does provide other protections that may justify a lawsuit. And the paper would argue that this was newsworthy and protected by the First Amendment. My best guess is that the hospital will settle with Pierre-Paul to make this all go away, and they’ll hope that HHS will be somewhat forgiving, even though this isn’t the hospital’s first insider breach. Did the employee breach HIPAA? At this point, and in light of other media reports that indicate that Pierre-Paul did not give consent to release that record and did not, himself, provide it to the media, then yes, it sounds like there has been a HIPAA breach. And I trust the hospital really is investigating this intensively right now and will likely fire the employee. I could be wrong, of course. 🙂

HHS updates breach tool, Part 1: many older incidents newly added

Okay, so HHS decided to give me a migraine by adding no less than 37 breach incidents to its public breach tool today. I suspect, but cannot be certain, that my repeated inquiries to them about breach reports not showing up in a timely fashion – the last such inquiry a few days ago – may have contributed to today’s massive update. Interestingly, a number of the entries refer to breaches well over a year old. Have they been sitting on these reports all this time?  And if so, why? Let’s start with the breaches I knew about already: In January 2013, Lee D. Pollan, DMD, PC notified NYS that a missing, and probably stolen, laptop contained unencrypted PHI on 13,806  former patients. That incident was reported to HHS as affecting 19,178 patients. The Feinstein Institute for Medical Research breach involving a laptop stolen from an employee’s car was reported on this blog in September 2012, but now first shows up on HHS’s breach tool. The Litton & Giddings Radiological Associates breach involving its janitorial service sending billing records handled by PST Services, Inc.  for recycling instead of shredding was reported on this blog in October 2012. It now appears on HHS’s list and indicates that 13,074 patients were affected. The Washington University School of Medicine (Missouri) breach involving a laptop stolen from a lecturer in Argentina was reported on this blog in January 2013. It now appears on HHS’s breach list with a notation that 1,105 patients were affected. The  El Centro Regional Medical Center breach involving records that went missing after they were turned over to an unnamed vendor for digitization and destruction was reported on this blog  in May 2013. It, too, now appears on HHS’s breach list, and we now learn that the vendor was Digital Archive Management and that 501 patients were affected. The St. Elizabeth’s Medical Center (Massachusetts) breach  involving paper records first reported in February 2012 on this blog and updated in April 2012 has now been added to the breach list. The Carolinas Medical Center – Randolph breach involving an e-mail hack that was reported on this blog in December 2012 has been added to the list. The Volunteer State Health Plan breach added to their site appears to be a duplicate of a previous entry that had already been noted on this site.  Similarly, the Vidant Pungo Hospital breach added to their breach list today also appears to be a duplicate of an earlier entry, as reported previously on this blog. The Jackson Health System breach involving a volunteer stealing/copying PHI on a smartphone was reported on this blog in December 2012. Children’s Hospital Boston reported 2,159,patients had PHI on a laptop stolen on March 25, 2012. I suspect that there’s a typo in HHS’s entry and that this is the May 2012 incident previously reported. Not all the additions were older breaches. Some of the more current ones that we already knew about include: The New Mexico Oncology Hematology Consultants breach involving a laptop stolen from an employee’s office has been added to the list. It reportedly affected 12,354 patients. The South Carolina Health Insurance Pool (SCHIP) breach involving a laptop stolen from a De Loach & Williamson employee’s car  has been added to the list. The L.A. Gay & Lesbian Center hack resulted in notification of 59,000. In the next post, I’ll discuss the newly added breaches we didn’t know about already.    

Long after some breaches occurred, we first find out via HHS's breach tool (Update 1)

HHS updated its breach tool yesterday. The following is an annotated list of new entries on their list. It is not clear to me why there are breach entries where the breaches occurred in 2011 or 2012. Did HHS delay in adding incidents to the breach tool or are entities first discovering and/or reporting the incidents? Unfortunately, HHS’s breach list does not include a field for the date on which the incident was reported – only the date that HHS adds it to the list. The following are newly added incidents for which we already had some information: UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, reported that 596 patients had PHI on the laptop reported missing or stolen. The Olson & White Orthodontics burglary was reported to HHS with the same details as previously reported on this blog. The City of Seguin,TX reported that 839 patients were affected by the Advanced Data Processing  (ADPI) breach in 2012, while Washington County EMS,TX reported that 1,435 of their patients were affected and the City of North College Hill reported that 555 of their patients were affected. For all previous coverage on this blog of ADPI’s breach, click here. Parkview Community Hospital Medical Center in California reported that 32,000 of its patients were affected by the Cogent Healthcare breach caused by a firewall error by its transcription service vendor, M2ComSys. It’s a bit surprising to see one hospital report 32,000 since media reports at the time suggested it was 32,000 total. The number of Parkview patients needs to be confirmed,  as they may have been reporting the total number from Cogent and not just their portion. Jackson Health System in Florida reported that 1,471 patients had PHI in boxes of records that were discovered missing or unaccounted for. The boxes were discovered missing in January. St. Anthony’s Physician Organization in Missouri reported the July 29 theft of a laptop with PHI of 2,600. The laptop was stolen from a physician’s car. Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group reported the theft of computers containing PHI on 4,029,530 patients. The following are incidents that were not previously noted on this blog: The Kaiser Foundation Health Plan of the Northwest reported a breach affecting 647 patients that occurred on March 15, 2013. This does not appear to be the same breach reported recently on this blog, but as yet, I’ve found no details on it, and e-mailed Kaiser Permanente to request information. Update 1: Kaiser Permanente Northwest replied to my inquiry  with the following statement: Kaiser Permanente Northwest recently discovered that an employee viewed medical records without proper authorization. A comprehensive investigation of the incident has been completed and state and federal regulatory agencies notified. Notification letters have been mailed to every affected Kaiser Permanente member. Our internal investigation of this matter shows: There is no evidence that information was viewed by the employee for the purpose of fraud or other criminal activity. The employee had no access to Social Security numbers, credit card information, or records through Mental Health or Addiction Medicine specialties. There is no evidence that the employee retained, maintained, or stored any of the information contained in the medical records. Summit Community Care Clinic in Colorado reported that 921 patients were affected by a Hacking/IT incident that occurred July 22. There is no statement or notice on their web site at this time, and PHIprivacy.net e-mailed them to request information. (see update HERE). Minne-Tohe Health Center/Elbowoods Memorial Health Center in North Dakota reported a breach affecting 10,000. The breach reportedly occurred October 1, 2011, and involved “Improper Disposal, Unauthorized, Access/Disclosure”,”Desktop Computer, Other.” Clear as mud, right? I have no idea what happened there or why it took almost two years for this to show up on HHS’s breach tool. This one may require a phone call. Logan Community Resources, Inc. in Indiana reported that 2,900 were affected by a “Hacking/IT Incident” that occurred on August  24, 2012.  Again, I could find no information online a year after the breach, and so sent an e-mail requesting details of the incident. St. Francis Health Network, aka Franciscan Alliance ACO  in Indiana reported that a breach involving Advantage Health Solutions affected 2,575 patients. The breach occurred on October 19, 2012.  The log entry does not appear to be related to this breach report from July involving Advantage Health Solutions, and PHIprivacy.net has e-mailed Franciscan Alliance ACO to ask for details on the incident. Because email inquiries sent yesterday have not yet received any replies, do check back to see if this post is updated with additional details.

Jackson South Community Hospital managers resign in wake of privacy breach

Hmmm. I don’t remember reading about this breach. John Dorschner reports: Jackson Health System announced Tuesday that two managers have resigned under pressure because of an alleged breach of patient privacy in the obstetrics unit in October at Jackson South Community Hospital. Jackson spokesman Edwin O’Dell said that South’s chief nursing officer and the head of the obstetrics unit were given the opportunity to resign and did so. O’Dell did not give the names and said the system was not revealing other details because of patients’ privacy rights. In a memo to county political leaders Tuesday, Chief Executive Carlos Migoya wrote: “While no patients were harmed as a result of this incident, we concluded that Jackson policies were indeed violated. Consistent with our culture of accountability, employees were terminated or otherwise disciplined. Appropriate reports were made to regulatory agencies.” Migoya noted that “front-line employees at Jackson South took the appropriate actions to try preventing and recovering from this violation.” Source: Miami Herald So I went digging, and found a notice simply titled “Media Statement” on an inside page of Jackson Health System’s web site. The notice is dated November 30, but is more likely about the recent breach at Jackson North Medical Center involving a volunteer who took pictures of patient records with a smartphone. So what was this breach at JSCH? Anyone know?