Alive Hospice, based in Tennessee, experienced a healthcare breach due to phishing emails. A phishing email occurs when a hacker disguises themselves as a trusted user, prompting recipients to click on a malicious link, allowing access to their email account. The incident was reported on July 3rd and affected 608 patients. Under the Health Insurance Portability and Accountability Act (HIPAA), Alive was required to mail data breach notification letters to affected patients within 60 days of detection of the breach.
Although Alive sent out breach notification letters in a timely fashion, they discovered that they had mailed out the letters with the incorrect recipient names. Upon discovery of the mailing issue, Alive sent out “corrective” breach notification letters explaining the issue with the previous letters. Alive believes that since the initial letters did not reference patient information or treatment provided to the patients that no protected health information (PHI) was leaked.
Incorrect Breach Notification is a Breach
Although there is some debate on whether or not the incorrect mailing constituted a breach, Alive reported the incident to the Department of Health and Human Services (HHS). The HHS considers patient names PHI. Even with no reference to health information, the letters had the incorrect patient name, linking them to Alive Hospice, confirming that the addressee is or was a patient at Alive.
David Holtzman Executive Advisor at CynergisTek agrees, as he told Information Security Media Group, “In this case, where the organization used its letterhead stationery on which it printed an individual’s name about an earlier incident in which PHI was disclosed, that in turn was disclosed to a third party, the covered entity should employ its incident response policy to fully investigate what caused the incident and mitigation steps to avoid a repeat of a similar event.”
When sending out breach notification letters, it is important to ensure that the letters are addressed to the correct recipient. Sending a breach notification letter with the wrong patient name constitutes a breach of PHI.