IT Misconfiguration Leads to 15 Breach ReportsLetters From Texas Health Resources Hospitals Mailed to Wrong Recipients
A misconfigured billing system that caused a mailing mishap affecting nearly 83,000 individuals has prompted Texas Health Resources to file 15 breach reports to federal regulators - one for each hospital involved.
The healthcare system serves more than 7 million patients in North Texas through a physicians group and 26 hospital locations.
In a statement, Texas Health Resources says that on Aug. 23, it learned that a misconfiguration of its billing system "allowed for patient information to be matched with and sent to the incorrect guarantor" from about July 19 through Sept. 4.
"Texas Health immediately took steps to correct the misconfiguration and began an investigation," the statement says. "The investigation determined that some billing information may have been mailed to someone other than the patient or their guarantor, which included patient name, account number, service date, name of treating physicians, name of health insurer, amount owed, and in some instances a short description of services rendered."
Texas Health says it has not seen indication so far that any patient's information has been misused.
The U.S. Department of Health and Human Services' Office for Civil Rights HIPAA Breach Reporting Tool website shows that on Oct. 22, Texas Health filed a breach report for each of the 15 hospitals impacted by the mishap, describing it as an "unauthorized access/disclosure" breach.
A total of nearly 83,000 individuals were affected by the Texas Health incident, according to the HHS website, which lists health data breaches affecting 500 or more individuals.
The 15 hospitals impacted by the incident are:
- Texas Health Harris Methodist Hospital Fort Worth, 15,000 individuals affected;
- Texas Health Presbyterian Hospital Dallas, 12,400;
- Texas Health Presbyterian Hospital Plano, 9,700;
- Texas Health Harris Methodist Hospital Southwest Fort Worth, 7,500;
- Texas Health Presbyterian Hospital Denton, 6,700;
- Texas Health Arlington Memorial, 6,200;
- Texas Health Harris Methodist Hospital Hurst-Euless-Bedford, 4,800;
- Texas Health Presbyterian Hospital Rockwall, 4,800;
- Texas Health Harris Methodist Hospital Alliance, 3,800;
- Texas Health Presbyterian Hospital Allen, 3,000;
- Texas Health Harris Methodist Hospital Cleburne, 2,700;
- Texas Health Harris Methodist Hospital Kaufman, 2,200;
- Texas Health Harris Methodist Hospital Stephenville, 1,300
- Texas Health Harris Methodist Southlake, 500.
Same Breach, So Many Reports
So why didn't Texas Health just file one HIPAA breach report representing all its affected hospitals and patients?
"The decision on the number of breach reports to file is likely based on each incident needing to be acknowledged separately, especially if more than one guarantor is involved," notes Keith Fricke, principal consultant at tw-Security.
Privacy attorney David Holtzman of the security consultancy CynergisTek offers a similar assessment. "It is not unusual for the components of a large health system to report separately a breach that had a common root cause or was the result of an incident at the hands of a business associate," he says.
"In this case, it appears that each of the facilities affiliated with Texas Health Resources was a covered entity required to submit its own report of an incident that occurred through managed billing services provided by the system's corporate parent."
Two of the five largest health data breaches added to the HHS HIPAA breach reporting website so far in 2019 have involved misconfigured IT.
In April, Puerto Rico-based clearinghouse and cloud services provider Inmediata Health Group reported a health data breach impacting nearly 1.6 million individuals involving a misconfigured IT setting that left protected health information viewable via internet search engines.
And a misconfigured database at UW Medicine in Washington state that left data on 974,000 patients exposed on the internet for several weeks.
As for mailing mishaps, one of the most scrutinized recent incidents involved insurer Aetna and a 2017 mailing of letters that exposed HIV-related information of 12,000 health plan members through the envelopes' clear window. That incident has resulted in Aetna settling a number of lawsuits that have cost the insurer more than $20 million.
So how can organizations avoid breaches tied to IT misconfigurations?
"Changes made to technology settings, especially ones that impact processes involving access to or dissemination of patient information, should undergo more rigorous testing to validate the changes have not created any opportunity for unauthorized access," Fricke says. "Quality control processes should catch these types of misconfigurations."
Organizations must take precautions when designing the production and merging of patient contact information with a message containing information about the patient's health status or treatment, Holtzman notes.
"It is a best practice to develop a quality control checklist to help ensure that the development of the document or electronic communication can be produced in way that protects the confidentiality of the PHI," he says.
Any data processing in the production of the communication should be checked to ensure the output allows for any PHI to be kept confidential, he adds. A final quality assurance check to physically inspect the communication should also be made to confirm that the communication is going to the correct recipient and contains the PHI meant for that individual, Holtzman notes.
Texas Health did not immediately respond to an Information Security Media Group request for comment on the incident.
In its breach notification statement, it notes that to help prevent similar incidents, "we are taking steps to further enhance the organization's data security procedures."