1,600 Ohio Patients Impacted by Impermissible Disclosures of PHI

993 Ohio residents who are beneficiaries of Medicaid or have received services from the Ohio Department of Job and Family Services (ODJFS) are being informed that some of their protected health information (PHI) has been made available to unauthorized persons because of a computer error.

There were three distinct incidents identified. The first occurred on February 16, 2019, when a computer error caused the PHI of 250 users of the Ohio Benefits Self-Service Portal to show up in the account of another user. The error was discovered and fixed on the same day.

On March 20, 2019, 100 individuals were affected by a computer error which caused information inputted into the Ohio Benefits portal to be saved to incorrect accounts. The IT team temporarily fixed the computer error but a permanent solution is still under development. Also on March 20, a computer error resulted in the mailing of documents containing the PHI of 608 members of ODJFS, 34 Medicaid benefits recipients, and one person who get both benefits, to 5 different people. This error was resolved on March 22, 2019.

In all instances, the privacy breached only involved names, dates of birth, claim numbers and case numbers saved in the Ohio Benefits System. Affected persons were given free identity theft protection services for one year as a safety measure.

University Hospitals Rainbow Babies & Children’s Hospital in Cleveland, OH also experienced an unauthorized disclosure incident. In this case, an error was made by an employee when sending an email to 840 patients on February 28. Although no specific information was mentioned in the email, the message implied that all recipients of the email had a similar medical condition.

The message recipients should have been added to the BCC field of the email but the employee put their emails in the ‘to’ field. Consequently, all recipients of the email could see the emails addresses of all 840 patients.

The hospital has notified all persons affected by the privacy breach and has sanctioned the employee. The employee was retrained on proper email procedures and patient privacy. All other employees will also be retrained on HIPAA requirements.