Back in December, 2014, I noted that HHS had added an incident involving Walgreens:
Walgreen Co. reported that 160,000 patients had PHI involved in an August 1st – November 6th breach involving paper records. I was unable to find any coverage of this, but this could be big, as Walgreen has had problems before with paper records, and was even fined in the past. This is the fifth breach involving Walgreens to show up on HHS’s public breach tool since its inception in September 2009.
We now know more about what happened in this incident, as HHS has updated its public breach tool with a summary of OCR’s investigation:
The covered entity (CE), Walgreens, mailed patient notification letters to incorrect third parties. The letters included first and last names, addresses, dates of birth, phone numbers, provider names, and details of the vaccines administered and affected approximately 160,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and placed notice on its website. Following the breach, the CE resolved issues in its use of the electronic health record (EHR) that were factors in the breach, updated data in the prescriber database and trained its staff on the new requirements. As a result of OCR’s investigation, Walgreens improved safeguards by resolving two issues in its use of the EHR.
Well, okay then.