A Tale of Breach Notification BlundersHealth System Addresses Some Victims as 'Deceased'
As a result of a mail merge mishap, some victims of a recent health data breach received breach notifications that mistakenly addressed them as being a minor or even "deceased."
Idaho-based Saint Alphonsus Health System, which is part of Trinity Health, a large Catholic healthcare delivery system that operates in several states, reported to federal regulators on March 4 a health data breach involving email that affected nearly 135,000 individuals.
Then, on March 8, the health system issued an updated statement noting that a "mail merge issue" resulted in an undisclosed number of affected patients receiving a breach notification letter addressing them as deceased or a minor.
"The mail merge issue did not occur at Saint Alphonsus, and all the impacted patients’ status is properly identified in our electronic medical records system," the statement notes.
Saint Alphonsus Health System and its parent organization – Trinity Health – did not respond to Information Security Media Group's request for more information.
Regulatory attorney Marti Arvin of the consulting firm CynergisTek says organizations must take specific steps to avoid these kinds of mailing errors.
"There needs to be very diligent communication regarding what file contains what victim type," she says. "When it is a large population, there are almost always a minimum of four different victim types: adult living and deceased, minor living and deceased. Then, some organizations choose to have different notification letters for different states if the language varies significantly for what that state requires versus what HIPAA or other states require. So the number of letter types can increase. Thus, the risk of improper merges increases."
Among those individuals affected by the Saint Alphonsus Health System email hacking incident are an undisclosed number of patients of a second entity - Saint Agnes Medical Center in Fresno, California, a sister organization - according to a separate statement issued on March 4 by the California healthcare provider.
"Initially, the incident was thought to only affect Saint Alphonsus. It was later discovered that some of the compromised information from [a breached] report belonged to Saint Agnes patients because hospital billing … is handled by Saint Alphonsus," the Saint Agnes Medical Center statement notes.
No St. Agnes patients were affected by the Saint Alphonsus mail merge mishap, a spokesperson for the California medical center says.
Saint Alphonsus Medical Center notes in its breach notification statement that the incident involved the compromise of an employee email account by an "unauthorized" actor.
"This individual used the employee's email to send phishing emails January 4-6 in their attempt to obtain login IDs and passwords," the statement notes. "Saint Alphonsus made the initial discovery on Jan. 6 and moved quickly to identify the source and nature of the activity and to secure the email account to prevent future cyberattacks," including retraining employees.
While there is no evidence of any misuse of information in the email account, a review of the compromise determined that a report may have been accessible. That report included patient names, addresses, telephone numbers, dates of birth, email addresses, medical record numbers, treatment information and billing information, the statement says.
For "a limited number" of individuals, Social Security numbers or credit card numbers were also in the exposed report, the statement says.
Other breach-related mailing mishaps have been reported in the healthcare sector.
In September 2019, Alive Hospice in Nashville, Tennessee, issued a “corrective” breach notification statement explaining that an earlier letter mailed in July 2019 to notify individuals and next of kin affected by a May phishing incident had gone awry.
Alive said some breach notification letters were addressed to the incorrect recipient due to an error occurring in the "address export process" for the mailing.
Some mailing blunders have led to messy disputes.
For instance, a 2017 mailing mishap by a third-party firm proved costly for health insurer Aetna. It paid more than $21 million, including fines from several state attorneys general, a HIPAA settlement from the Department of Health and Human Services, and a class-action lawsuit settlement (see: Aetna Fined Yet Again for Exposing HIV Information).
"Responding to patients about a data breach is a huge responsibility, and organizations must take additional precautions to ensure that it is handled properly to avoid further mistakes," says Susan Lucci, senior privacy and security consultant at tw-Security.
"Without proper oversight and testing of the planned response process, mistakes can and will happen as we have seen before. Trusting technology without testing and careful review of the steps in place is risky. Trust but verify before letters are sent out."
Lucci says entities should take a number of critical steps to avoid breach notification mishaps.
"If a large breach requires notification of hundreds or thousands of individuals, be involved every step of the way. Do sample reviews of the data. Think outside the box, using a 'what could potentially go wrong with this?' process,'” she says.
For example, if an organization is going to use a master patient index, or MPI, for mail merge processes, it must first examine whether the MPI was recently updated. "Is old information in there that is not applicable to the data breach? Are duplicate records present where an individual could receive multiple notifications?"
When relying on the help of third parties for breach notification mailings, organizations should "make sure you have detailed communications with the vendor and clear expectations," Arvin says.
"Select a vendor that has experience in this area, particularly experience with large data breaches if the compromise involves a significant number of patient records."