Colleen Henry reports on a breach involving Columbia-St. Mary’s Ozaukee Hospital in Wisconsin that highlights some recurring problems with both breaches and breach notifications. I’m excerpting her excellent reporting to make a few points:
Investigators said a janitor fed patient records to gang members. The lead investigator said a sworn statement that a janitor had access to a master key that opened most every room in the building, even though he had been a discipline problem.
It’s how easily the janitor accessed the records that are causing alarm.
While the hospital paid an outside firm to shred patient documents, records indicate the janitor accessed records from unsecured shredding boxes in the hospital with broken locks.
Police believe the scheme went on for months before being discovered.
This is not the first time we’ve seen a breach involving janitorial staff. In some cases, the staff were direct employees of the covered entity while in other cases, they were employees of a contracted service. But how well do you really investigate cleaning staff and the people with the keys to your kingdom?
But four years after the breach was discovered, many patients still have no idea their personal information may have been stolen.
Columbia St. Mary’s chose not to notify all its patients of the breach. They determined that only a few patients were affected.
“This is a situation that involved less than 10 people,” said Columbia-St. Mary’s spokeswoman Deborah Friberg. “All of those individuals were notified at the time.”
But the Sellers family was not told of the potential theft of their loved ones records.
“The way my mother found out, through a third-party and not the hospital themselves after they knew this had happened, was appalling,” Sellers said.
In this type of situation, the entity cannot really know with complete assurance whose data have been stolen because the breach went on for months before being discovered. The hospital may have known for sure that 10 people were affected, but could it really be sure no others were at risk? Could gang members have re-sold information to others who would use it at another time?
The Sellers family sued Columbia-St. Mary’s for negligence and for violating their father’s right to privacy. The hospital fought the lawsuit arguing that it, too, was a victim of a rogue employee who violated work rules and there was not liable for negligence under Wisconsin law.
The judge dismissed the Sellers’ case last month, finding that Columbia-St. Mary’s was not legally responsible for the misconduct of its janitor. The judge also ordered the Sellers family to pay the hospital’s legal costs- $30,000.
I don’t know Wisconsin law, but saying that a firm is not responsible for the misconduct of its employee means that their assurances of privacy and security are pretty much b-sh*t. What are they saying, “We will keep your data secure and private, but you can’t be assured our employees will?”
12 News obtained court documents that state the scheme went on for as long as eight months and investigators seized nearly 30 patient records in a sting operation.
So were the other 20 patients notified by the hospital? HITECH may not have been in effect when the breach occurred by HIPAA went into effect in 1996. A hospital spokesperson told the reporter:
“There was no rationale for doing something on a broader scale given the information we had at the time,” Friberg said.
An “abundance of caution” might have been a more appropriate and helpful response here.
Read the full report on WISN and see what you think. I do not think the hospital made the best decisions here.