Soap operas are almost always long-running. Privacy breaches should not be, and 16 years is a very long time for a problem to go undetected. But it appears that’s what happened to the Virginia Commonwealth University Health System (“VCU Health”).
Last month, VCU Health disclosed that they had recently learned that beginning as early as January 4, 2006, information about transplant donors had accidentally been included in files for their transplant recipients and vice versa. The information was not available to the general public but could be viewed by transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal.
“Additionally, this information may have been released in response to a release of information request made at the request of, or on behalf of, the recipient and/or donor,” VCU Health explained in a notice on their website.
According to the notification, it was on February 7, 2022 that VCU Health learned that a “limited amount of protected health information” (PHI) may have been viewable. Their discoveries were not over, however. VCU subsequently learned that from March 29 to May 27, some donors’ or recipients’ records that were potentially viewable contained additional PHI: names, Social Security numbers, lab results, medical record number, date(s) of service, and/or dates of birth.
“The total number of donors and recipients involved in this incident is 4,441,” VCU Health stated in their notification. It is the same number that they reported to HHS for the breach. VCU confirmed to DataBreaches that the 4,441 number includes all patients or donors whose files disclosed protected health information of others and where the files had been accessed going back to January 2006..
Not the First Long-Running Problem
Although VCU Health reports that it has found no evidence to suggest that any information has been misused, a long-running breach of this kind raises a number of questions. But this wasn’t VCU Health’s only long-running breach.
As reported previously on DataBreaches, in July 2018, VCU Health disclosed that an employee had been inappropriately accessing health information for about 4,700 people or their children. The inappropriate access occurred between Jan. 3, 2003 and May 10, 2018.
Inappropriate access to patient records represents a different challenge to privacy and security than auditing or ensuring that only the appropriate information is included in any file, but to have two such problems go undetected for so many years is something that merits some serious problem-solving.
This post was updated after receiving clarification and confirmation from VCU Health that the 4.441 number included all earlier cases where there was erroneous inclusion of protected health information in files that were accessed.