Dignity Health reported multiple data breaches and HIPAA violations to the Department of Health and Human Services’ Office for Civil Rights (OCR). There was an unauthorized access of patients’ PHI, a business associate accessed PHI without entering a BAA first and an unauthorized access exposed 55,947 patient records.
Dignity Health reported that an employee of its St. Joseph’s Hospital and Medical Center had accessed the PHI of 229 patients from October 13, 2017 to March 29, 2018 without proper authorization. The unauthorized access was found out during a periodic PHI access logs review. The information that was potentially compromised included patients’ names, birth dates, demographic information, patient notes and diagnostic information. There was no Social Security number or financial information exposed during the breach, so patients were not advised to take any action to protect their identities. Nevertheless, patients received notification as a precaution and to meet HIPAA requirements. Dignity Health also implemented the proper disciplinary action on the employee that violated hospital policies and HIPAA rules.
Dignity Health reported to OCR a data breach at St. Rose Dominican Hospitals in San Martin, Siena and Rose de Lima campuses in Nevada on May 10, 2018. On April 6, 2018, St. Rose Dominican Hospitals shared with a third-party contractor the PHI of 6,036 patients needed for preparing health-related court documents for hearings. Unfortunately, during this time the contractor’s business associate agreement expired yet PHI sharing continued. This incident had been resolved and to prevent a similar problem from happening again, the necessary controls had been implemented.
Dignity Health reported another data breach on May 31. It involved an unauthorized access that involved email. A business associate was also somewhat involved, though information on the breach was not enough.