St. Joseph Health notifies patients of HIPAA breach due to failure to redact patient names from file sent to investment firm

St. Joseph Health reports that it experienced a privacy breach on February 18 when an employee neglected to delete a tab in an Excel spread sheet that contained patients’ names before sending the data to an investment firm preparing a proposal for St. Joseph Health.  SJH’s letter to those affected explains:

St. Joseph Health provides central support services to its members including St. Joseph Home Care NetworkOn the evening of February 18, 2014 at 7:47 PM, we discovered that at 5:04 PM on that same day one of our employees inadvertently sent a Microsoft Excel file containing patient information to an employee at Cain Brothers, an investment firm that had requested certain de-identified information to complete a business proposal for us. By accident, our employee did not delete the file tab that included identifiable patient information. This file was not secured by technology, like encryption, that would have rendered the file unusable or unreadable by the recipient.

We discovered the issue on the same evening the email was sent and immediately contacted the recipient of the file requesting that it be deleted and not used or disclosed. The next day, we received verbal and electronic confirmation from the recipient that the file was deleted and information was neither used nor disclosed.

Although we know your information was involved in this inadvertent disclosure, we can assure you that no social security numbers, financial information (such as account or insurance numbers), or contact information were included. Rather, the following was disclosed as it may relate to services that you’ve received from St. Joseph Home Care Network between the dates of July 1, 2012 and June 30, 2013: your name, patient code (which is not your social security number or account number), referral source, referral type, admit date, termination date, admission status description, admission disposition description, and treating business unit.

The following files were submitted to California Attorney General’s breach site; they differ only in the name of the provider: St. Joseph Home Care Network,  St Joseph Health System Home Care Services, and St Joseph Health System Home Health Agency:

About the author: Dissent

Comments are closed.