San Francisco-based Dignity Health, a 39-hospital system operating in three states, is under federal investigation after a breach compromised the data of 55,947 patients, the San Francisco Chronicle reports.
The breach occurred April 24 but wasn't reported to HHS' Office for Civil Rights until May 31. As mandated by HIPAA, breaches that affect more than 500 patients must be reported to the agency within 60 days of discovery. Dignity's breach was the third-largest reported that month, according to the publication.
The breach stemmed from a sorting error on an email list formatted by Healthgrades, an online appointment-scheduling site under contract with Dignity. The error led Dignity to accidentally send misaddressed emails to patients that included the wrong patient's name, and in some cases, their physician's name. No financial, insurance or medical information was compromised.
The error has been corrected, and Dignity and Healthgrades said they notified all affected individuals.
"All of us at Dignity Health and Healthgrades take our responsibility to protect patients' personal and medical information very seriously," Dignity told the San Francisco Chronicle. "We sincerely regret that this error happened and any concern or confusion it may have caused."
Healthgrades partners with more than 500 hospitals to ease online scheduling. It is unclear whether the email list formatting error affected other organizations.
More articles on cybersecurity:
Does your hospital need a chief security officer? 5 things to know about the CSO role
30% of clinicians receive daily texts with PHI, survey finds
Phishing incident affects 1.6k patients at Phoenix Terros Health
© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.