Indian Health Service Data Breach (2015)

On August 25, 2014, the Indian Health Service (IHS) Bemidji Area determined that a physician employed by a staffing company under contract with the IHS had improperly accessed protected health information from three IHS facilities. The three facilities affected are the Fort Yates Service Unit in the IHS Great Plains Area, the Cass Lake Service Unit in the IHS Bemidji Area, and the Crow Service Unit in the IHS Billings Area. The data breach included patient names, Social Security numbers, and health information such as diagnoses, prescribed medications, and laboratory results. However, there is no current indication that the information has been used by or disclosed to any unauthorized individuals. The IHS contract at issue contained the requirement that contractors must protect patient privacy and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Even though these protections were required as a part of the staffing company's contract with IHS, the contract provider improperly accessed these records. "IHS is very disappointed that this breach occurred given that the staffing company contract included the requirement that contract providers must protect patient privacy and meet HIPAA regulations. We are committed to ensuring the security and integrity of all our patients' personal information and are putting additional protections in place" said Acting IHS Director Dr. Yvette Roubideaux. "Keeping patient information secure is of the utmost importance to us, and we very much regret that this situation occurred." In accordance with regulations implementing HIPAA, the IHS has notified all persons whose information was improperly accessed. On October 17, 2014, the IHS sent letters by first class mail to the affected patients to notify them of the privacy breach. Affected patients were also provided phone numbers to call the Area HIPAA Coordinators. As a measure of added security, the IHS is offering one year of free credit monitoring and reporting services to these affected patients. Also, to help protect against further breaches, all contract staff serving the affected Areas are being required to sign a Confidentiality Agreement stating that individually identifiable information is to be held in strict confidence.