Advocate Christ Medical Center demonstrates how NOT to respond to a HIPAA breach
Ok, we know mis-mailings and mix-ups happen, right. But what allegedly happened with Advocate Christ Medical Center is yet another example of how NOT to respond to an incident while claiming you take privacy and security seriously.
CBS in Chicago reports that Advocate Christ Medical Center in Oak Lawn Illinois sent Darnell Payne some other patient’s complete records when he requested his own medical file.
But when he contacted them about their mistake and kindly offered to bring them back the other patient’s files, how did they respond? Did they say, “Oh, thank you so much but no need to do that… we’ll send someone over to you to pick them up immediately?”
No, they apparently did not.
According to Payne, the hospital’s only response was, “No, that’s impossible.” He said that is not only what the hospital said about the offer to bring back the records, but the very error itself.
“‘Impossible.’ Her statement to me was, ‘That’s impossible.’ (I said) ‘But I have it!’” Payne said. “(The hospital said), ‘There’s no way that that could have happened.’ But it did!”
But wait for it. Their incident response gets even WORSE. When he re-requested his OWN records to get them, the hospital sent him a bill.
To this day, he reportedly still has the other patient’s records.
Paging OCR to Aisle 4…. paging OCR to Aisle 4.