Back in October, I commented on a complaint filed with HHS by the Monroeville, Pennsylvania Assistant Chief of Police. In August 2012, Chief Pascarella alleged that the town’s emergency dispatch service had been disclosing what should have been confidential information to his former boss, who, having retired, should no longer have been receiving copies of emergency dispatches on his cell phone. It appears that when he retired, the town never removed him from the notification system. The town’s lawyer didn’t see a problem, but Chief Pascarella did, and so did I.
What wasn’t clear to me, however, was whether the dispatch service was a HIPAA covered entity or not. To the extent that medical information was transmitted over an emergency dispatch system like fire department or police scanners that anyone and everyone could monitor, the transmissions wouldn’t be protected, but if they were transmitting to electronic devices such as individual’s cell phones or email accounts, then…?
Since October, I have been in communication with an interested party in Monroeville, who tipped me that the breach wasn’t confined to just one person. According to my correspondent, the town’s failure to ensure it kept an updated and need-to-know list with appropriate access controls may have exposed hundreds of thousands of records to people who should not have received them or access to them. According to this source, each fire company had its own login to the dispatch system’s database, and the logins were only one digit apart. Basically, then, pretty much anyone who knew any of the logins could access the entire database of emergency medical records. And it wasn’t just the fire department/EMS that had access to the database, as the police also had access to it.
When my correspondent attempted to learn what, if anything, HHS was doing with Chief Pascarella’s complaint, he was reportedly told that HHS had not opened an investigation (yet). I pointed out to him that HHS may have been viewing this as N=1 complaint or case instead of an N=400,000 systemic case (the 400,000 was just a guestimate on my correspondent’s part as to how many records might have been vulnerable to improper access).
Today, Annie Siebert of the Pittsburgh Post-Gazette reports that HHS has opened an investigation into the alleged breach:
Monroeville’s 911 dispatch center covers Monroeville, Pitcairn and Wilmerding.
“Anyone who has called the police, called the fire department, used our [emergency medical service]” or was transferred to or from a Monroeville hospital could be affected by the breach, Monroeville manager Lynette McKinney said. Monroeville police Chief Steven Pascarella said the leaks likely started sometime in late 2011 and continued until he discovered them in August 2012.
The breach first surfaced last year after then-Assistant Chief Pascarella filed the complaint, alleging ambulance dispatches were being sent to former Monroeville police Chief George Polnar, who retired in January 2010 and is now employed as the manager of security and parking at UPMC East in Monroeville.
But Ms. McKinney said the breach was wider than that.
“The magnitude of this investigation is well beyond the leaking of one resident’s private information to a former chief of police,” she said on Tuesday.
Read more on the Pittsburgh Post-Gazette. And kudos to Chief Pascarella and concerned citizens in Monroeville who have pursued getting this situation investigated.
Update: Then-Monroeville Manager Jeffrey Silka informed the town that he was opening an investigation into the allegations back in October 2012. On November 29, 2012, he announced that he would have the investigation “wrapped up soon.” It is not known to me whether any report was ever issued following that investigation, but Mr. Silka’s successor, Lynette McKinney, has made it clear that she intends to carefully investigate the problem and allegations.
Update2: In response to a freedom of information request I filed with Monroeville requesting the final investigative report issued by Mr. Silka, my request was denied on two grounds. The first is probably more relevant here: “Mr. Silka never completed a final investigative report on this matter.”