It did for University of Pennsylvania patients.
The University of Pennsylvania Health System (Penn), through its billing business associate, RevSpring, inadvertently sent patients bills containing both their information and information of other patients. “RevSpring, a Michigan-based billing vendor used by Penn, believes the misprinted bills which caused the data breach were due to a printing malfunction. While the front of the statements were printed correctly, the reverse contained a second patient’s information. Penn stated that the information was limited to patient names, physician names, service and test information, and the amount owed by the patient, and did not include dates of birth, diagnoses, insurance numbers, or Social Security numbers. While an exact number of affected patients was not given, Penn noted that it was more than 1,000. RevSpring reported the error to Penn on December 5, and has since notified affected patients and investigated the incident to prevent a recurrence.” Article.
Interestingly, and although not guaranteed, the Department of Health and Human Services (HHS) said it would not penalize an unintentional data breach that is corrected within 30 days, but it is unclear whether Penn’s response the breach would be enough from HHS’s perspective.
Health care providers are relying more and more on technology being incorporated into their practices. This include electronic medical records, data exchanges between satellite offices, internets, intranets and externets, and business associates and their subcontractors. However, as health care providers rely on technology, they must have the appropriate policies and procedures in place to ensure that unsecured protected health information (“PHI”) is not inadvertently disclosed to the wrong patients.
Given the devastating civil and criminal penalties associated with data breaches, as well as the reputational harm, health care providers need to work with a health care attorney that specializes in preparing and implementing appropriate policies and procedures, and effectively train staff to avoid potential data breaches.
Tell us how your organization protects its information? Share your ideas with us by clicking on the comment button below. We’d love to hear from you.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.