On April 22, I noted that Susquehanna Health had notified HHS that 657 patients were affected by a breach on December 5, 2013 involving “Unauthorized Access/Disclosure, E-mail.” I could find no statement on their website at that time. I still can’t find one, but their report to the Maryland Attorney General’s Office provides the missing details.
On December 5, 2013, an employee at Soldiers & Sailors Memorial Hospital in Wellsboro, a Susquehanna Health affiliate, was responding to a routine request from an insurance carrier for claims information on their covered members. The employee, however, reportedly provided more information than what was required for covered members and also disclosed information on other patients who were not covered members of the insurance firm. To make matters worse, all of the information was sent to the insurance firm via unencrypted e-mail. If you’re keeping score, I’d count that as three HIPAA violations right there.
But wait, it actually gets worse. Susquehanna Health did not learn of the breach until March 6 (they do not indicate how they learned of it), but when it started investigating it, it learned that the insurance company (Universal American) had forwarded (further released) the improperly shared data to its subcontractor, iGATE, for data analysis. The information included patients’ names, addresses, dates of birth, Social Security numbers, health insurance information, payment information, encounter identification numbers, physicians’ names, diagnostic codes, and patients’ employers.
In response to the breach, Susquehanna Health conducted extensive re-training of the employee and the entire department and indicated it would be making other changes.
Thankfully, the parties to whom the PHI was improperly released are themselves covered by HIPAA, so the risk of misuse of the information is relatively low. Despite that, Susquehanna did offer those affected free credit monitoring services for a year.
You can read their notification here (pdf).