Indian Health Service addresses data breach by contract physician

The U.S. Department of Health & Human Services’ Indian Health Service (IHS) has been responding to a breach by a contract physician that affected patients at three IHS facilities. The IHS, an agency in the U.S. Department of Health and Human Services, provides a comprehensive health service delivery system for approximately 2.1 million American Indians and Alaska Natives.

On August 25, 2014, the IHS Bemidji Area determined that a physician employed by a staffing company under contract with the IHS had improperly accessed protected health information from three IHS facilities: the Fort Yates Service Unit in the IHS Great Plains Area, the Cass Lake Service Unit in the IHS Bemidji Area, and the Crow Service Unit in the IHS Billings Area.

According to a statement issued by IHS on October 17, the breach included “patient names, Social Security numbers, and health information such as diagnoses, prescribed medications, and laboratory results.” IHS noted that there is no current indication that the information has been used by or disclosed to any unauthorized individuals.

In correspondence to PHIprivacy.net, Kella With Horn, the IHS Great Plains Area Public Affairs Liaison, disclosed that 1,720 patients were notified of the incident. IHS declined to name the contract physician’s firm, “due to the ongoing review,” but IHS’s contract with the unnamed firm did include the requirement that the contractor must protect patient privacy and comply with HIPAA.

“IHS is very disappointed that this breach occurred given that the staffing company contract included the requirement that contract providers must protect patient privacy and meet HIPAA regulations. We are committed to ensuring the security and integrity of all our patients’ personal information and are putting additional protections in place” said Acting IHS Director Dr. Yvette Roubideaux. “Keeping patient information secure is of the utmost importance to us, and we very much regret that this situation occurred.”

When asked about what the unnamed physician’s motivation was in accessing the patient information, Kella With Horn replied, “The physician stated it was done in case of malpractice suit,” but because of the ongoing review, they wouldn’t comment further at this time. “The matter has been referred to the HHS Office of Inspector General,” they noted.

On October 17, 2014, the IHS sent letters by first class mail to affected patients to notify them of the privacy breach. Affected patients were also provided phone numbers to call the Area HIPAA Coordinators and were offered one year of free credit monitoring and reporting services.

Patients who received the letter and have any questions can contact the following Area HIPAA Coordinators:

  • For the Cass Lake Service Unit in the IHS Bemidji Area – Phillip Talamasy at 218-444-0538 or [email protected]
  • For the Fort Yates Service Unit in the IHS Great Plains Area – Heather H. McClane at 605-226-7730 or [email protected]
  • For the Crow Service Unit in the IHS Billings Area- Felicia Blackhoop at 406-247-7184 or [email protected]

As a result of this incident and to help protect against further breaches, all contract staff serving the affected Areas are being required to sign a Confidentiality Agreement stating that individually identifiable information is to be held in strict confidence.

About the author: Dissent