Reminder that small-n medical privacy breaches can cause harm
Over on PogoWasRight.org this morning, I linked to a post by Eric Goldman involving litigation over a medical privacy breach. One plaintiff claimed to have suffered significant harm in her life due to a hospital employee mailing her information to an unrelated third party who then posted it online.
I mention that case because although many sites (including this one) tend to report dramatic headlines about data breaches in the medical sector where, the larger the number affected, the louder the headline. The reality, though, is that breaches involving a single individual or a few patients often cause great harm. These N=1 or small-number breaches do not appear on HHS’s public breach tool, although they do get reported to HHS.
Sometimes, we learn about these small incidents because local news media reports on them or bloggers like Eric Goldman inform us about them. And sometimes, we find out because they appear on state attorney general breach sites.
Today, DataBreaches read a breach notification letter to one patient.
In this case, Mattapan Community Health Center in Massachusetts informed a patient about their investigation into the patient’s complaint that a former employee had inappropriately accessed their protected health information and posted it online. The letter offers no information on the former employee’s motivation to access this patient’s protected health information or post it.
MCHC’s investigation confirmed the patient’s report. The letter informed the patient about what steps they were taking in response:
To address the situation with the former employee, the Health will be sending her a cease and desist letter ordering her to, among other things, permanently delete the posts with your PHI and PI, destroy or return any Health Center PHI and PI related to you or others that are in her possession, and refrain from any communication of any sort that discloses protected information about you by any means, including but not limited to personal contact, mail, electronic mail, instant message, text message, telephone communications, via web or telephone-based applications, or any type of social media.
Does that seem like enough?
Additionally, we continue to educate and reinforce to the Health Center staff about the importance of privacy and their duty to maintain privacy even after they have left our employment to reduce the risk of this type of incident from occurring again. We are also offering you credit monitoring and identity protection services through the service of your choice at no cost to you for 24 months.
Does that seem like enough?
Would you expect to see more about the fact that the health center had neither prevented nor detected inappropriate access when it occurred in July and only learned of the breach when the patient contacted them to complain in October? What will the health center do to improve their ability to prevent and quickly detect such breaches?
You can read the notification letter found at https://www.mass.gov/doc/assigned-data-breach-number-28607-mattapan-community-health-center/download below.28607