The protected health information (PHI) of around 14,121 patients at Rady Children’s Hospital has been compromised because of human error.

An employee inadvertently emailed a spreadsheet with the health information of the children to a few job applicants who had applied for data management jobs, and they in turn, forwarded the information to two other persons. The actual intention had been to send approved information to the applicants for an internal evaluation, but the employee accidentally attached the spreadsheet with real patient details.

According to a news report, the spreadsheet contained information such as dates of birth, primary diagnoses, admittance and discharge dates, medical record numbers, and insurance claim information, but their Social Security, insurance or credit card numbers, street addresses, or information of the children’s parents or guardians.

Corrective Action

The hospital apologized to the affected families and has taken corrective measures. Rady officials contacted all the six recipients and with the help of an independent information technology security firm, confirmed that the errant spreadsheet was deleted. The hospital has confirmed each recipient has given a written statement that they have deleted the email and the attachment from their computer and other external devices like an iPad or mobile phone. Rady Children’s Hospital also set up a phone bank staffed by more than 150 employees to contact families affected by the breach and mailed notices to each of them.

Rady Children’s states that it has taken the following measures to prevent such incidents from happening again:

– Use only commercially available and validated testing programs to evaluate job applicants and only test candidates onsite

– Work to improve information security and automated screening to flag emails that may contain potential protected health or other sensitive information. Every email will need additional approval before it can be sent

– Work with their email encryption provider to further strengthen security of sensitive data

– Continue to educate employees on HIPAA compliance

In its Notice and Information Regarding Disclosure of Patient Information, the hospital says, “We are using these incidents as examples to better inform our leadership team and employees about the need to protect patient information and the importance of the policies we have in place and train them in these new measures we are taking”.

Rady Children’s PHI Breach – Lessons to Learn

There are many lessons to be learned from this PHI data breach. Healthcare providers need to strictly implement proper administrative, technical and physical safeguards to ensure HIPAA compliance. If they outsource medical transcription, data entry or document conversion, they need to ensure secure modes for the transmission of PHI.

According to the Identity Theft Resource Center, there were a total of 4,579 recorded breaches and a total of 630,870,450 exposed records during the period from 2005 to June 5, 2014. Governmental organizations, healthcare facilities, banks, private companies, educational institutions and more are constantly exposed to data security threats. In addition to employee error/negligence, other reasons for breaches include

* Insider Theft
* Hacking
* Subcontractor/third party
* Accidental Internet exposure
* Physical Theft

When a data breach has occurred, measures should be immediately implemented to restore security and to protect the goodwill of the organization. All the details of the incident should be documented, including the response efforts and conversations with law enforcement and legal counsel. Other important actions to perform are:

* Record the exact date and time at which the breach was discovered and when response efforts begin

* Alert and activate the response team to execute the scheduled plan

* Preserve evidence by securely protecting the premises where the breach occurred to prevent further stop loss of information

* Document everything related to the incident

• Who reported it?
• Who discovered it?
• How was the information stolen?
• To whom was it reported?
• What devices are missing?
• What systems are affected?
• What is the type of breach that has occurred?
• What was stolen?
• Who else knows about it?

If necessary a forensics firm should be brought in and law enforcement notified for further investigation.

Large organizations should anticipate that that human error can put secure information at risk. Recognizing this reality and taking appropriate measures to minimize such risks is crucial for consumers as well as the health of the organization.