Cook County Health & Hospitals System notifies hundreds of patients that email with PHI was sent without encryption

On September 17, Cook County Health & Hospitals System posted a breach notification on their site:

As part of a collaborative public health project, an individual working on behalf of CCHHS sent an e-mail to an authorized individual at a non-Cook County healthcare organization in July 2014.

The transmitted information contained protected health information that was not encrypted. Encryption is a process that converts the information into a format that cannot be easily understood by unauthorized people. This was identified immediately after the e-mail was sent. The receiving organization deleted the e-mail without reviewing the contents. There has been no indication of unauthorized use of the information and CCHHS officials have notified affected individuals.

The information contained patient names, date of birth, race, ethnicity, gender, zip code, medical record number, date of service, place of service, type of lab test performed and lab test results. The information DID NOT contain patient addresses or social security numbers.

CCHHS provides ongoing training to its workforce on issues surrounding patient privacy. In response to this incident, CCHHS initiated corrective actions to make every effort to ensure this does not happen again and has followed its policies and procedures with regard to violations of patient privacy.

Patients who have questions or would like additional information should call toll-free 1-877-476-1873 (8 a.m. to 5 p.m. Monday through Friday), e-mail the Cook County Health & Hospitals System Compliance Program at [email protected] <mailto:[email protected]> or send a letter to Cathy Bodnar, Chief Compliance and Privacy Officer, Cook County Health & Hospitals System, 1900 West Polk, Suite 123, Chicago, IL 60612.

This incident was reported to HHS as affecting 767 patients. Significantly, perhaps, considering that lab tests and results were included in the email, CCHHS listed South Suburban HIV/AIDS Regional Clinics as the business associate involved. SSHARC did not respond to an email inquiry sent earlier today via their website for a statement.

About the author: Dissent

Comments are closed.