VA: Fairfax County Health notifies 1,499 patients after subcontractor error exposes info online
The Fairfax County Health Department has mailed letters to 1,499 clients of the Bailey’s Health Center, located in Falls Church, to inform them of an unauthorized disclosure of some protected health information.
This is one of those situations where it really pays to have Business Associate contracts in place where everyone understands their responsibilities to notify the covered entity of breaches. According to the county’s letter, Fairfax County contracts with Molina Healthcare, Inc. to manage the Bailey’s Health Center, which is part of the Fairfax County Health Department’s CHCN program. Molina then subcontracts with a company named Health Business Systems, Inc., which maintains a pharmacy database and provides prescription services to Bailey’s Health Center patients.
On Oct. 18, HBS notified Molina that a computer file containing pharmaceutical records was “inadvertently left on an unsecured computer server” and accessed by three separate entities on four occasions between Sept. 9 and Oct. 3. Molina notified the Fairfax County Health Department on Oct. 24.
Human error breaches are common. To their credit, HBS detected the breach itself. The county’s letter states:
The breach was discovered through a routine forensic audit performed by HBS in the normal course of business. The error was discovered on October 4, 2013; all of the compromised files containing personal patient information were moved to a secured server on October 7, 2013.
But why, then, did it take weeks more for the county to be notified? If HBS discovered the breach on Oct. 4, why did it take until October 18 for them to notify Molina? And why did it take Molina another 6 days to notify the county and the county another month and a half to start notifying patients? Is this a reasonable timeframe or is there room for improvement here?
The exposed PHI included name and address of the patient; pharmacy identification number of the patient; medication name and dosage; description of medication National Drug Code (NDC); payment information; prescriber’s name and address; and some patient social security numbers.
The county’s letter provides plain language suggestions for patients as to how to protect themselves and offers them a year of credit monitoring with AllClear ID. It also reassures patients that they are taking steps to try to prevent this from happening again:
Although the County has in place multiple administrative requirements needed to protect your health information in compliance with HIPAA, this incident has lead us to review our current contract language and requirements related to the handling of pharmaceutical records to prevent such occurrences in the future. We plan to take further steps to safeguard our patient care records including a review of existing databases in order to confirm that all private patient information is secured on encrypted servers pursuant to Fairfax County Policy. Fairfax County will continue to take all necessary steps to protect the personal information of patients of the CHCN.
Overall, I’m pretty impressed with the breach response, other, perhaps, than how long it took. From day of discovery (October 4) to notification letter (December 11) was more than the 60 days proscribed by HITECH. I hope Fairfax’s review considers whether this could have been handled more quickly.
If you are a patient who was affected by this breach, are you satisfied with the county’s notification to you and their handling of this breach?