Indiana Hospital Reveals Security Breach
The confidentiality of protected health information (PHI) for approximately 1,800 patients at St. Vincent Indianapolis Hospital was compromised recently due to an e-mail security breach. The Indiana hospital posted a notice on its website shortly after discovering the breach, and says notification letters to affected individuals have been sent.
The security breach occurred Nov. 12, 2010 when “some St. Vincent Indianapolis employees unintentionally revealed their e-mail login information to third parties,” the hospital’s online notice states. The security breach allowed unauthorized “third parties” to access e-mail accounts that contained PHI, such as names, dates of service, and clinical and diagnostic information.
A breach of this size, however, is just a drop in the bucket compared to some.
By law, health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPPA) are required to report a breach of unsecured PHI affecting 500 or more individuals to the U.S. Department of Health and Human Services (HHS). These breaches are listed on the HHS website.
Since the breach notification provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, many breaches have been reported—225 to date. The largest security breach reported thus far is by AvMed Inc., who reported Dec. 10, 2009 that a stolen laptop compromised the security of PHI for 1,220,00 individuals.