Last month, Dignity Health reported breaches to HHS that involved three of their hospitals in Nevada: Dignity Health St. Rose Dominican Hospitals – San Martin (1764 patients); Dignity Health St. Rose Dominican Hospitals – Siena (2078 patients), and Dignity Health St. Rose Dominican Hospitals-DeLima (2174 patients). The incident involved the hospitals providing documentation to an unnamed local contractor that they had used for years to process court-related health documents. Through a clerical error, the contract had not been renewed, so for a while, there was no contract in place although the hospitals continued to provide patient information to the contractor. The contractor handled the materials properly despite the lack of contract, and the contract renewal went through to restore the contractual relationship.
But the Nevada reports were not the only breaches the health system has recently reported. Dignity Health St. Joseph’s Hospital and Medical Center in Arizona recently identified a data breach incident and is notifying patients whose records may have been compromised. According to a statement on their web site:
As part of St. Joseph’s commitment to the security of its patients, the hospital consistently reviews employees’ access to electronic medical records. As a result, the hospital has identified that from October 13, 2017 through March 29, 2018, a hospital employee viewed portions of 229 patient medical records without a business reason to do so.
Information that may have been viewed included certain demographic information, including name and date of birth, and clinical data such as nurses’ or doctors’ notes and diagnostic information. Because the information viewed did not include Social Security, billing or credit card information, the hospital has no reason to believe these patients need to take any action to protect themselves against identity theft.
Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients. Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.
St. Joseph’s regrets any inconvenience caused by this incident. Letters have been mailed to patients whose medical records may have been viewed and the hospital has established a call center to answer any questions they may have. Individuals who were patients at St. Joseph’s between October 13, 2017 and March 29, 2018 and have questions, can call 877.406.9191.
Because fewer than 500 patients were affected, that incident does not appear on HHS’s public breach tool.
But what does appear on HHS’s breach tool is a recent incident involving Dignity Health in California that reportedly involved 55,947 patients. That incident is coded as “Unauthorized Access/Disclosure” involving email, which might indicate a hacking or phishing incident, but it is not totally clear. DataBreaches.net has reached out to Dignity Health to request clarification as to what happened in that incident. This post will be updated when I obtain some clarification on the incident.
UPDATE: Dignity Health sent me the following statement about the breach affecting 55,947 patients:
SAN FRANCISCO, CA – June 4, 2018 – On April 24th, 2018, Dignity Health,
including its affiliates Dignity Health Medical Group Nevada, LLC, and Dignity Health Medical Foundation, discovered that an email list formatted by Healthgrades, one of its business associates, contained a sorting error. This error resulted in Dignity Health inadvertently sending misaddressed emails to a group of patients, informing them of a new online appointment scheduling tool. Immediately upon learning of the incident on April 25th, Dignity Health and Healthgrades launched a comprehensive investigation.
Dignity Health and Healthgrades have taken immediate steps to notify the affected patients. Patients with questions or concerns should call 1-877-802-1959. Dignity Health and Healthgrades investigated and corrected the problem and the companies are putting appropriate steps in place so that it will not happen again.
Each misdirected email was sent to only one person. The emails contained the wrong patient’s name and, in some cases, his or her physician’s name. No other information was included in the email. Importantly, there was no financial, insurance, or medical information included.
All of us at Dignity Health and Healthgrades take our responsibility to protect patients’ personal and medical information very seriously. We sincerely regret that this error happened and any concern or confusion it may have caused.