Health System Seeks Patients' Help to Mitigate Email MishapMisaddressed Email Affected Nearly 56,000 Individuals
A breach involving misdirected emails to nearly 56,000 patients allegedly tied to a sorting error by a business associate has taken an unusual twist: The organization involved, Dignity Health, is asking for patients' help in mitigating the privacy mishap.
See Also: HIPAA Audits: A Revised Game Plan
The request made by Dignity Health for patients' assistance, while intended to be helpful, is potentially counterproductive, some privacy experts contend.
On May 31, Dignity Health reported to the U.S. Department of Health and Human Services' Office for Civil Rights an unauthorized access/disclosure breach involving email that involved a business associate, according to HHS' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.
San Francisco-based Dignity Health describes itself as the fifth largest health system in the nation and the largest hospital provider in California. It operates more than 400 care centers, including a variety of clinics, in 22 states.
A notice posted on the organization's website says Dignity Health discovered on April 24 that an emailing list formatted by Healthgrades, a business associate, contained a sorting error.
"This sorting error caused an email notice intended for a select group of patients to be sent to the wrong person," Dignity Health says. "The email was meant to notify recipients that they can now schedule appointments online with their physicians. Together with Healthgrades, we have determined that each email was misdirected to one other person and included first and last names, and possibly the name of the patient's physician. There was no financial, insurance or medical information included in the email."
But to help mitigate the mistake, Dignity Health is asking for help from patients who received the misaddressed emails.
"If you received an email on April 24, 2018, from Hello@DignityHealth.org that contained the first and last name of another person, and possibly the name of that person's physician, we kindly ask that you permanently delete that email by deleting it from your inbox and further deleting it from your deleted emails folder."
The organization adds that by working with Healthgrades, "we have already investigated and corrected the problem." Dignity Health says its also working with Healthgrades "to put appropriate steps in place so that it will not happen again."
Pros and Cons
Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says he supports the approach taken by Dignity Health to encourage deletion of the mistaken emails.
"The HIPAA Breach Notification Rule strongly encourages covered entities and business associates take steps to mitigate the risks to PHI following any impermissible disclosure through obtaining some assurance that the information will be destroyed," he says. "In addition, the approach taken by Dignity Health provides consumers a role they can play in contributing to a culture of respect for the confidentiality of health information."
Some other privacy experts, however, contend that the request made by Dignity Health for patients' assistance in addressing the emailing mishap could backfire.
"Based on why other types of entities have made such statements, I believe they are probably trying to demonstrate due diligence to HHS, the involved breach victims, and whoever else is their regulator or potential person who may want to bring a lawsuit," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Asking the misdirected email recipients to delete, in all places, these emails is bringing bystanders into the breach situation where now the recipients may decide they will look at those emails where before they may have just deleted them on their own," she notes. "Curiosity is a powerful feeling that many will find increased by the lure of looking at what others are now making explicit requests to try and get the recipients to overcome."
While Herold says most individuals likely will comply by deleting the emails from their inbox, "most will not take the second step to delete from their trash file also."
Some will look at the messages and use the information if they believe it is to their advantage or profit, Herold predicts. "There are always a very small percentage of the public who will take such data and use it for fraud or other malicious purposes if it falls into their laps," she says.
Kate Borten, president of privacy and security consulting firm The Marblehead Group, says to help track compliance with Dignity Health's request that patients delete the misdirected email, the healthcare provider organization could have taken an extra step to request that each individual respond and confirm email deletion. "If the PHI were in a physical form, such as paper, the CE or BA could collect it," she says. "But electronic data in the hands of the public is not under the CE's or BA's control."
Still, some patients receiving the misaddressed emails could be tempted to "snoop" before deleting the messages. "It is human nature to snoop. ... It is very likely that these email recipients will have read the names of other patients," Borten says. "Unless the identified doctors are well-known in the community and associated with a particularly revealing specialty - such as oncology, obstetrics, or mental health - this may not be significant."
Breaches involving misaddressed emails are relatively common, but they often affect smaller numbers of individuals.
These incidents "can happen both programmatically, as in this [Dignity Health] case, and by human error, usually affecting only one or a small number of patients," Borten says. "I also suspect there are many cases of an individual at a CE or BA misdirecting an email containing PHI, and never reporting it internally. Sometimes this is through ignorance, other times knowingly."
But in addition to breaches involving email mishaps - including phishing incidents - the wall of shame is dotted with incidents involving the potential unauthorized disclosure of PHI through paper mailings.
One such incident has had costly consequences. That case involved a 2017 mailing of letters to about 12,000 Aetna insurance plan members in several states to inform them of the new options for filling their HIV prescriptions. The members' HIV drug information was potentially visible through that mailing's envelopes, which had transparent windows.
The incident has resulted in several lawsuits and settlements, including a $17.2 million settlement in a class action lawsuit filed against Aetna and a $1.15 million settlement with the New York state attorney general's office (see Another Twist in Messy Aetna Privacy Breach Case).
Like the Dignity Health email breach, the Aetna mailing envelope mishap also involved a third-party vendor.
"Due diligence is always important when engaging a BA," Herold says. "Every CE needs to know that when a BA has a breach, the CE's name will be the one splashed all over the headlines, and those involved will hold the CE accountable. CEs must understand that when they entrust their data and systems to a third party, they must take actions to help ensure the BA is doing all that is feasible to help protect their data against breaches."
More Dignity Health Breaches
In addition to the incident involving the misaddressed email, Dignity Health reported three other breaches to OCR on June 10. Each of those are listed on the OCR wall of shame as involving unauthorized access/disclosure and film/paper. In total, the three breaches impacted about 6,000 individuals.
No business associate involvement is reported in the incidents that occurred at three hospitals in Nevada - Dignity Health St. Rose Dominican Hospitals, San Martin; Dignity Health St. Rose Dominican Hospitals, Siena; and Dignity Health St. Rose Dominican Hospitals, DeLima.
The blog Databreaches.net reports that those incidents involved the hospitals providing documentation to an unnamed local contractor that they had used for years to process court-related health documents. Through a clerical error, the contract had not been renewed, so for a while, there was no contract in place although the hospitals continued to provide patient information to the contractor. The contractor handled the materials properly despite the lack of contract, and the contract renewal went through to restore the contractual relationship, Databreaches.net reports.
Dignity Health did not immediately respond to an Information Security Media Group request for comment on the four reported breaches.
In a statement provided by Healthgrades to ISMG, the company said: "All of us at Dignity Health and Healthgrades take our responsibility to protect patients' personal and medical information very seriously. We sincerely regret that this error happened and any concern or confusion it may have caused." Each misdirected email was sent to only one person, Healthgrade adds.
Organizations can take steps to avoid email breaches like the one reported by Dignity Health.
"CEs should consider using secured messaging portals instead, where the recipients must validate who they are before getting their messages," Herold suggests.
Also, BAs should provide some type of quality assurance and/or testing results, or other validation, to CEs that describe how the possibilities for such mistakes were minimized, Herold says.
Organizations tend to overlook their email system and not treat it as carefully as their production systems, such as electronic health records or billing, Borten says. "The HIPAA Security Rule calls for change management processes both by CEs and by BAs," she notes.
Holtzman notes that good vendor management practices call for a covered entity to work with their contractors to employ a risk-based strategy. That includes assessing the potential for compromise of data when designing the production and merging of patient contact information with a message containing information about their health status or treatment, he says.
"The principles are the same whether the medium of communication is electronic or a producing a printed document sent to be stuffed in an envelope," he notes.