San Francisco-based Dignity Health, and one of its business associates, reported an unauthorized access/disclosure incident impacting the medical records of 55,900 patients.
According to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) breach portal, which contains information about data breaches impacting more than 500 patients, Dignity Health reported the incident on May 31 and categorized the incident as “unauthorized access/disclosure” involving and affecting 55,947 patients.
Dignity Health officials sent a statement to Healthcare Informatics, dated June 4, regarding the data breach incident. “On April 24, 2018, Dignity Health, including its affiliates Dignity Health Medical Group Nevada, LLC, and Dignity Health Medical Foundation, discovered that an email list formatted by Healthgrades, one of its business associates, contained a sorting error. This error resulted in Dignity Health inadvertently sending misaddressed emails to a group of patients, informing them of a new online appointment scheduling tool. Immediately upon learning of the incident on April 25, Dignity Health and Healthgrades launched a comprehensive investigation.
Dignity Health and Healthgrades have taken immediate steps to notify the affected patients, the organizations stated. Dignity Health and Healthgrades investigated and corrected the problem and the companies are putting appropriate steps in place so that it will not happen again.
“Each misdirected email was sent to only one person. The emails contained the wrong patient’s name and, in some cases, his or her physician’s name. No other information was included in the email. Importantly, there was no financial, insurance, or medical information included,” the statement read.
“All of us at Dignity Health and Healthgrades take our responsibility to protect patients’ personal and medical information very seriously. We sincerely regret that this error happened and any concern or confusion it may have caused,” the organizations wrote in the statement.