On April twenty-fourth Dignity Health allowed approximately fifty-six thousand patient records to be compromised by their subcontractor Healthgrades. On my thirty-first Dignity Health reported the breach to the Office of Civil rights (OCR) under HHS as required by HIPAA, given the breach was over five hundred records.
Surely it will be found that due to a lack of proper vendor oversight, due to a lack of Risk Management, a sorting error in an email list caused the breach. In a press release Dignity Health said “Dignity Health and Healthgrades investigated and corrected the problem and the companies are putting appropriate steps in place so that it will not happen again,”
Dignity Health stated that no medical, financial or insurance information was disseminated, although some of the emails included patient and doctor names, according to a news release issued by the health system. It also said the misallocated emails were only transmitted to one incorrect person per patient.
If proper communications security was in place the emails would have been encrypted and unreadable by the recipient of the mistakenly transmitted emails. With proper vendor oversight this lack of security control could have been discovered during a Third party Risk Management, Privacy and Security Assessment.
If an assessment would have been performed and the gap in control discovered, the item would have been marked for remediation. Proper controls would have been put into place during remediation and there would be no breach to report. This is another unfortunate example of why Risk Management is worth the investment. Had either Dignity Health or Healthgrades performed the proper security assessment as required by HIPAA, their patients would not have to worry about the information, owned by the patient, being compromised.
Currently OCR has an open investigation into the matter. I assure among the recommendations will be proper vendor oversight and security assessment. It would behoove both Dignity Health and Healthgrades to start a vigorous risk management program before a program is forced upon them as a recommendation from OCR.