Avoiding Breach Notification BlundersWhat Can Be Learned From Hospice's Mailing Mishap That Triggered 'Corrective' Notification?
This story has been updated
See Also: The 5 Foundational DevOps Practices
A mishap involving the mailing of breach notification letters has led a Tennessee hospice to issue a "corrective" privacy breach notification.
The incident is yet another example of why healthcare organizations need to carefully scrutinize their breach response and notification processes.
On Sept. 6, Alive Hospice in Nashville, Tennessee, issued a "corrective" breach notification statement explaining that an earlier letter in July to notify individuals and next of kin affected by a May phishing incident had gone awry.
"On July 3, Alive Hospice undertook a mailing of notification letters to individuals potentially affected by a recent data privacy incident," notes the Sept. 6 statement from Alive. "On or about July 9, Alive learned that an error occurred in the address export process for the mailing, which resulted in the notification letters being addressed to the incorrect recipient."
Alive Hospice says it "immediately took steps to correct the address error" and then mailed a corrective letter to all recipients of the July 3 mailing. "This subsequent notice included a statement explaining the issue with the prior mailing," the hospice says.
The initial notification letters did not include any reference to treatment provided or to protected health or patient information, Alive says. "The letters included the incorrect recipient's name and referenced Alive Hospice as the entity making the notification."
A Second Breach?
But some regulatory experts dispute Alive's contention that the incorrect recipient's name included in the original mailings isn't PHI.
"In all probability, this would constitute a separate breach," says Rich Curtiss, director of healthcare risk assurance services at security consulting firm Coalfire. "Assuming the individual identified in the notice is under hospice care and a name is provided in the notice, that could meet the definition of PHI and criteria for an unauthorized disclosure as defined by the Department Health and Human Services."
Privacy attorney David Holtzman of the security consulting firm CynergisTek offers a similar assessment.
"HHS' Office for Civil Rights could view the incident in which the wrong individual was sent correspondence from the covered entity as a reportable breach," he says.
The HIPAA Privacy Rule specifies that an individual's name maintained in a covered entity's designated record set is PHI, he points out.
"In this case, where the organization used its letterhead stationery on which it printed an individual's name about an earlier incident in which PHI was disclosed, that in turn was disclosed to a third party, the covered entity should employ its incident response policy to fully investigate what caused the incident and mitigation steps to avoid a repeat of a similar event."
As of Tuesday, the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website that lists health data breaches affecting 500 or more individuals listed two recent incidents reported by Alive. That includes a breach reported on July 3 impacting 608 individuals, and an earlier breach reported on July 13, 2018 affecting nearly 1,900 individuals. Both are described as hacking/IT incidents involving email.
In a statement, Alive tells Information Security Media Group that the hospice also filed a third breach report to HHS for the postal mailing incident, which impacted 533 individuals, but that the report has not yet been added to the federal tally.
Making Matters Worse
Mailing errors can make a messy situation far worse, as earlier incidents have shown.
For example, the 2017 mailing mishap by a third-party firm cost health insurer Aetna more than $20 million, including fines from several state attorneys general and a class action lawsuit settlement (see Aetna Fined Yet Again for Exposing HIV Information).
Aetna had a third party mail out letters to about 12,000 of its health plan members in several states to inform them of the new options for filling their HIV prescriptions. But the members' HIV drug information was potentially visible through that mailing's envelopes, which had transparent windows.
The reason that Aetna needed to send those 2017 letters was due to an earlier privacy dispute. In 2014, Aetna settled a class action lawsuit in which attorneys for plaintiffs argued that Aetna's policy at the time that required filling HIV prescription drugs by mail order left the privacy of patients' HIV status vulnerable to exposure to family, neighbors and others (see Yet Another Twist in Messy Aetna Privacy Breach Case).
So how can organizations avoid breach notification blunders?
"Smaller covered entities such as long-term care, hospice care and federally qualified health centers are typically not staffed with a full-time, qualified HIPAA privacy and/or security officer," Curtiss notes.
"Often, these are 'other duties as assigned.' It is critically important that, irrespective of the size and budget of the organization, the individuals responsible for HIPAA compliance are trained and qualified to perform those functions necessary to protect the patients and the organization. Checks and balances or separation of duties are absolutely necessary to prevent PHI breaches, whether electronic or physical."
Many breach response-related mishaps are easily preventable by employing foundational concepts - such as quality assurance or "a second set of eyes" - to ensure the process necessary for breach reporting is thorough and accurate, Curtiss says.
Tom Walsh, president of tw-Security, notes that "extreme caution" must be taken when an entity communicates about a breach to those whose data was exposed. "You cannot un-ring a bell," he says.
Many organizations devote far more effort to the content of the notification letter than to the delivery of the message, he notes.
"For example, a privacy officer will draft the notification letter and run it by legal counsel," he says. "The mailing of the notifications may be outsourced, so there may not be a formal review of a test batch of letters prior to sending all of the letters."
Susan Lucci, senior privacy and security consultant at tw-Security, notes that organizations -such as Aetna - that rely on vendors' to help with breach notifications must be mindful of their partners' practices.
"Oversight and careful management of a vendor to alert them to the differences in projects is essential to ensure missteps are not made," she says. "The philosophy of ongoing, regular communication and maintaining a close working relationships with business associates is essential."
Business associates essentially are an extension of the workforce of an organization. Lucci notes. "That means the same level of education, reminders, and alerts to changes in cybersecurity risks should be shared regularly with business associates if security incidents and breaches are to be avoided."