A recent update to HHS’s public breach tool revealed an incident involving Salina Health Education Foundation (d/b/a Salina Family Healthcare Center) in Kansas. The April 8th incident affected 9,640 patients and was coded as “Unauthorized Access/Disclosure E-mail.”
A statement dated June 2 explains:
Salina Family Healthcare Center (SFHC) notified more than 500 patients of an unintentional transmission of unsecured personal patient protected health information after discovering the following event:
On April 8, 2014, a staff member submitted a database to the National Commission for Quality Assurance (NCQA) for our involvement in a care coordination research study. The staff member responsible for our participation in the project inadvertently left a table in that database that included patients’ names, dates of birth, chart numbers and CPT codes associated with their care. Upon opening the email, the NCQA staff member who received the database immediately recognized the breach, deleted the database, and notified our staff member.
Rob Freelove, MD, CEO of Salina Family Healthcare Center said “We take the responsibility of protecting our patients’ information very seriously and we sincerely regret the inadvertent disclosure of patient information. We have thoroughly investigated this incident and believe the risk of patients’ protected health information falling into the wrong hands is incredibly low in this situation. We will closely monitor patient records at SFHC to ensure that there is no inappropriate subsequent access. We will do all we can to work with our patients and help them work through the process. We regret that this incident has occurred and we are committed to prevent future such occurrences. We appreciate our patients’ support during this time.”
In an ongoing effort to improve the quality of care that we provide to all of our patients, we work closely with the National Committee for Quality Assurance. NCQA is a private, not-for-profit organization dedicated to improving health care quality.
In response to the breach, SFHC has taken the following steps:
- Received assurance from the NCQA staff member who received the file that the file was destroyed by their Information Technology Department.
- Disciplined the staff member involved in this incident.
- Arranged to re-train all of our employees on the importance of protecting our patients’ personal health information.
- Assessed and modified our process for running reports from the electronic medical records to ensure personal information is removed prior to being submitted for research purposes.
- Reported the breach to the Department of Health and Human Services.
In a notification to our patients, we have offered our resources and encouraged patients to contact their financial institutions to prevent unauthorized access to personal accounts, even though unauthorized access is highly unlikely to occur.
Patients may visit the Salina Family Healthcare Center Web site at www.salinahealth.org for further information. Salina Family Healthcare Center also has staff available for patients to call with any questions related to the data breach. Patients may call 1-888-312-3884 from 8:00 a.m. to 5:00 p.m. Monday – Thursday and Friday 8:00 a.m. -4:00 p.m. with any questions.
Please direct all questions to Audrey Lee, Director of Human Resources and Compliance at 1- 888-312-3884 or [email protected].
Given the circumstances, I tend to agree with them that this is a very low-risk situation. They do not indicate, however, whether the email was sent encrypted or unencrypted.