San Francisco-based Dignity Health, a not-for-profit hospital company with locations in California, Nevada and Arizona, suffered three data breaches in quick succession over a six-week timespan this spring. One involved the physician rating and scheduling company Healthgrades Operating Company, Inc., and affected nearly 56,000 patients.
The second breach involved more than 6,000 records exposed in Nevada by a third-party contractor that previously had been a business associate (BA), but the BA agreement had been allowed to expire due to a clerical error, according to Dignity Health. The third breach occurred when an employee in Arizona accessed protected health information (PHI) for 229 patients without a valid reason, the company says.
In the Healthgrades breach, 55,947 patients were sent an email describing a new online appointment scheduling tool.
According to the joint statement issued by Dignity Health and Healthgrades:
On April 24th, 2018, Dignity Health, including its affiliates Dignity Health Medical Group Nevada, LLC, and Dignity Health Medical Foundation, discovered that an email list formatted by Healthgrades, one of its BAs, contained a sorting error. This error resulted in Dignity Health inadvertently sending misaddressed emails to a group of patients, informing them of a new online appointment scheduling tool. Immediately upon learning of the incident on April 25th, Dignity Health and Healthgrades launched a comprehensive investigation.
The two companies took steps to notify the affected patients and “are putting appropriate steps in place so that it will not happen again,” the statement says. “Each misdirected email was sent to only one person. The emails contained the wrong patient’s name and, in some cases, his or her physician’s name. No other information was included in the email. Importantly, there was no financial, insurance, or medical information included.”
Richelle Marting, an attorney with the Forbes Law Group in Overland Park, Kansas, says the Dignity Health-Healthgrades breach shows that mass communications that include PHI—especially those requiring coordination between a covered entity (CE) and a BA like Healthgrades—need to be carefully designed.
It’s now common for patients to book appointments online using sites like Healthgrades, and prospective patients may use a variety of different websites that provide doctor reviews prior to booking appointments. Some, such as Google for Business, Facebook and Yelp, only provide reviews and links to provider websites. Healthgrades, Zocdoc and others allow patients to book appointments through their website.
Online Services Becoming Ubiquitous
Healthgrades has partnered with a variety of companies to make its online scheduling function available to patients; these include Edward-Elmhurst Health, a large integrated health system in Illinois, and Ochsner Health System, a not-for-profit health care provider in Louisiana. In May, Healthgrades announced that it would make its online appointment scheduling for hospitals available in the Epic App Orchard, which will allow hospitals and health systems using Epic to provide real-time booking for patients on Healthgrades.com and automatically sync schedules and appointment information.
Zocdoc, meanwhile, offers online scheduling for providers participating in the networks of large insurers, including Aetna, Inc.; Anthem, Inc.; Cigna; and UnitedHealth Group. Geisinger Health System, Mount Sinai Health System, and Tufts Medical Center also use Zocdoc. Its online scheduling function integrates with Allscripts’ clinical scheduling software.
“Online scheduling is becoming increasingly common as a means to promote patient access by giving patients an opportunity to select appointment dates and times convenient for them without requiring a phone call to the hospital or provider,” Marting says. “If the vendor, such as Healthgrades, is creating, receiving, maintaining or transmitting patient information in any way, a BA agreement would be needed. Here, for example, if Healthgrades is using an email distribution list, formatting it and sending emails as they did for Dignity, then a business associate agreement is required.”
Incorporate a Final ‘Quality Check’
The Dignity Health-Healthgrades breach bears some similarity to other data breaches that have involved paper mailing mix-ups, she tells RPP. “Many of the breaches involving mailings have two common characteristics: they involved a technical glitch, and the error could have been spotted and prevented with a process to spot-check the mailings before they are sent.”
This type of error is easy to make, Marting says. “Even working with databases of information internally where there would not be a breach, manipulating columns of data or removing a row or cell can easily move data around in a way you didn’t realize and didn’t intend,” she says. “Then, all of a sudden, you have patient information mixed and matched and a breach such as this one is prone to occurring.”
Marting urges incorporating a final quality check before any mass communications go out—and that includes those sent by email and regular mail. “Review all of the data fields to be sure they’re correct and all match up with a patient’s record,” she says. “Do this check not just for the first few records, but randomly throughout the entire database, in case the error occurs further down within the dataset.” If the check uncovers errors or discrepancies, stop the process and isolate the cause, she says.
Ultimate responsibility for the mistake would vary depending on how a specific mass communication effort was set up, she says.
This may matter if the Office for Civil Rights (OCR) ever brings enforcement action. “If the health system is getting the data already formatted from the vendor and the health system is responsible for sending it out, the covered entity especially needs to have a verification process to spot-check the accuracy of the data to avoid a breach,” says Marting. “In that instance, the risk would likely fall directly on the covered entity from the OCR’s perspective, with their remedy from the BA being contractual in nature. However, if the BA formats the data and sends the messages which contain an error, liability could fall directly on the BA from the OCR’s perspective. Specifying those details in the contract to clarify who is responsible for reviewing accuracy of the data prior to a mass communication could be critical.”
Marting adds: “If each party believes the other is responsible for that final quality check, it may never happen and breaches are more likely to occur.”
There are other risks involved when CEs use third-party vendors such as Healthgrades to help schedule appointments and perform other tasks, including billing, Marting says. These involve both technical issues and the human element, she says.
“From a technical perspective, I often see health care providers giving vendors access to information systems like a billing or scheduling system, but having a lack of controls for terminating access when a staff member with the vendor leaves the company,” she says. “For example, if a person working for a vendor has access to a health care provider’s information through a web portal, and the employee quits, there must be a way to terminate that individual’s access. If the health care provider or vendor have any shared logins, that often does not happen.”
Marting says she often runs into “health care providers that issue a single login account per business associate, and multiple individuals within the vendor’s organization log in using that same credential.” This obviously is problematic, she says.
In addition, “it’s hard to put enough technical safeguards in place to prevent bad actors from engaging in such egregious conduct”—for example, if an employee of a medical billing company was stealing patient identities, she says.
Many of the risks faced by vendors are similar or the same as the risks faced by health care providers, Marting says. Challenges include “needing to perform security risk assessments to understand where their risks lie, and failing to identify all the locations where PHI may be created, received, maintained or transmitted, which could create risk areas.”
Contact Marting at rmarting@forbeslawgroup.com.