One of the incidents reported to HHS this month was an incident reported by QuadMed in Wisconsin. Today, I finally found some documentation as to what that incident was all about.
As background, QuadMed describes itself as providing occupational health and primary care services to some clients. In some cases, they may take over an onsite clinic at a client’s. When that happens, QuadMed and the client may agree or arrange that health-related information from the clinic will be stored in a shared records system that both QuadMed and some of the client’s employees can access.
And that’s pretty much what they did with three of their clients: Hillenbrand, Stoughton Trailers and the Whirlpool Corporation.
QuadMed took over the Hillenbrand onsite clinic on November 7, 2013. According to a statement they issued, on December 26, 2017, QuadMed became aware of a potential technical issue that enabled Hillenbrand employees to access more information than they should have been able to access. Whether that unintended access existed since November 2013 was not clear, but that information included employees’ name, date(s) of services or treatment at the onsite clinic, and medical information, such as test or evaluation results, diagnoses, and information related to medical history, examinations, physicals, screenings, vaccinations, travel medicine, and/or workers’ compensation information.
In response to the incident, QuadMed and Hillenbrand implemented new administrative and technical controls and re-educated employees on HIPAA.
QuadMed also took over the Stoughton Trailers onsite clinic. According to their statement, on December 26, 2017, QuadMed also became aware of the potential technical issue with access to that clinic’s record system (as with the Hillenbrand situation). Their investigation determined that certain Stoughton Trailers’ employees had access to more information in that system, as well as through other electronic means, than should have been permissible since May 9, 2016.
Starting in January 2017, QuadMed also took over the onsite clinic at Whirlpool Corporation’s Clyde, Ohio plant. On February 6, 2017, QuadMed recognized that there was an issue, and according to their statement, was working to investigate and then remedy the issue since that time. “In October 2017,” they write, “QuadMed was granted with the needed level of system access to more thoroughly investigate the issue. QuadMed subsequently determined this notification was appropriate.”
QuadMed’s report to HHS indicated that 4,549 patients were affected.