Impermissible Disclosure of 5,300 Patients’ PHI Due to Mailing Errors

HIPAA-covered entities reported recently two communication error,s which caused the impermissible disclosure of the personal and protected health information (PHI) of 5,339 patients.

Impermissible PHI Disclosure at Mercy Health Physician Partners Southwest

Mercy Health Physician Partners Southwest located in Byron Center, MI, began mailing breach notification letters on February 10, 2019 to inform its patients about the recent mailing error committed by a third-party vendor hired by Mercy Health.

Mercy Health gave the mailing vendor a checklist consisting of 3,164 names and addresses of patients in order to send them letters telling about a physician’s departure. Because of a mistake in the mailing, the names were mismatched with the addresses. 2,487 patients received a notice that is addressed to another patient. There was no disclosure of other sensitive information.

The breach investigators discovered that the vendor did not sign any business associate agreement (BAA). Therefore, giving the vendor a copy of the patients’ list was a violation under HIPAA — an impermissible disclosure of PHI. The mailing vendor satisfactorily assured Mercy Health that it knows its responsibilities as required by HIPAA and there is now a BAA in place.

Email Error of Hawaii Hospital

On February 3, 2019, a staff of Queen’s Health Systems in Hawaii sent an email with file attachment to the wrong recipient. The PHI of 2,852 patients of the Queen’s North Hawaii Community Hospital and the Queen’s Medical Center were contained in the file attachment. The email error was discovered the next day.

Queen’s Health Systems tried to contact the individual to whom the email was sent by mistake to make certain the deletion of the patient list. However, there was no response has received. The information contained in the email attachment included the names of patients, health plan ID numbers, admission, and discharge dates, and limited data regarding the care received. The file additionally included the 300 patients’ diagnoses. The breach impacted patients who obtained healthcare services after June 1, 2019.

There was no report received that indicate the misuse of patient information. Patients were advised to keep track of their explanation of benefits statements and submit a report when there are patient services listed that were not received.