Saintly mix-up results in breach notification for Providence Health & Services

Providence Health & Services is notifying some of their patients that their data were exposed after an error concerning the name of the facility where they were treated:

We are writing to you about the disclosure of your medical billing information to one of our business partners. On February 18, 2015, Providence St. Joseph Medical Center discovered that a Providence staff member inadvertently sent your billing information to a company that handles billing for some of our physician medical groups that Providence contracts with in Southern California.

As a result of the clerical error, your bill was incorrectly labeled Providence Saint John’s Health Center, instead of Providence St. Joseph Medical Center – where you received services.

The billing company is a business associate, and hence, the protection of the data is still covered under HIPAA. The error, therefore, poses little risk to affected patients, even though the information included:

  • Demographic information (such as date of birth, medical record/account number, etc.)
  • Summary of charges and dates of service
  • Social Security numbers
  • The billing code for any diagnostic lab results.

Providence Health says it is working diligently with the billing company to remedy the incorrect billings and to refund any payments that were made.

“Once all billing corrections are made, none of your information will be retained by the billing company,” the company writes to those affected.

You can read the full notification letter to adult patients here, and for minor patients, here.

Although not noted in the letter, the breach reportedly occurred on November 1, 2014. Providence does not explain why it took until February 18 to detect the problem, nor how they first learned of it. The total number of patients affected was not disclosed.

About the author: Dissent

Comments are closed.