Two Employees Dismissed for Impermissible Disclosures of PHI to Third Parties

Humana has found out that a staff of a hired subcontractor of a business associate impermissibly shared the protected health information (PHI) of around 65,000 members to a third-party for training purposes.

Humana contracted Cotiviti to give services in managing medical records. Then, Cotiviti got a subcontractor to look at the requested health files. Under HIPAA, subcontractors employed by business associates must also follow the HIPAA.

The privacy violations took place between October 12, 2020 and December 16, 2020. Cotiviti informed Humana concerning the HIPAA violation on December 22, 2020. Together, Cotiviti and Humana worked to make certain that security procedures are executed to avoid very similar privacy breaches again. Also, those safeguards are set up at any subcontractors it hires. The individual who shared the information is no longer hired by the subcontractor.

The types of records compromised include the member names, phone numbers, dates of birth, addresses, email addresses, full or partial Social Security Numbers, insurance identification numbers, provider names, medical record numbers, dates of service, treatment data, and medical photos.

Although the disclosures were not intended for malicious reasons and it is believed that there were no further exposures of the PHI, Humana is providing affected people with 2 years of credit monitoring and identity theft protection services for free.

UPMC St. Margaret Dismisses Employee for Impermissible Disclosure of PHI

UPMC St. Margaret has learned about the impermissible disclosure of the protected health information of some of its patients by an employee to a third-party provider without authorization.

In August 2020, UPMC, St. Margaret learned that an organization got a medication administration report even with no legitimate work purpose. The report included details like names, UPMC ID numbers, and medication administration data, such as drug name, dose, time/date of administration, and the reason for having the medication.

After the discovery of the impermissible disclosure, UPMC terminated the staff’s access to UPMC systems and terminated the person’s employment after the investigation was finished. The provider notified the impacted persons regarding the privacy breach on March 5, 2021. There was no reason provided for the delay in sending the notification.