Susquehanna Health Data Breach (2013)

On April 22, I noted that Susquehanna Health had notified HHS that 657 patients were affected by a breach on December 5, 2013 involving Unauthorized Access/Disclosure, E-mail. I could find no statement on their website at that time. I still cant find one, but their report to the Maryland Attorney Generals Office provides the missing details. On December 5, 2013, an employee at Soldiers & Sailors Memorial Hospital in Wellsboro, a Susquehanna Health affiliate, was responding to a routine request from an insurance carrier for claims information on their covered members. The employee, however, reportedly provided more information than what was required for covered members and also disclosed information on other patients who were not covered members of the insurance firm. To make matters worse, all of the information was sent to the insurance firm via unencrypted e-mail. If youre keeping score, Id count that as three HIPAA violations right there. But wait, it actually gets worse. Susquehanna Health did not learn of the breach until March 6 (they do not indicate how they learned of it), but when it started investigating it, it learned that the insurance company (Universal American) had forwarded (further released) the improperly shared data to its subcontractor, iGATE, for data analysis. The information included patients names, addresses, dates of birth, Social Security numbers, health insurance information, payment information, encounter identification numbers, physicians names, diagnostic codes, and patients employers. In response to the breach, Susquehanna Health conducted extensive re-training of the employee and the entire department and indicated it would be making other changes. Thankfully, the parties to whom the PHI was improperly released are themselves covered by HIPAA, so the risk of misuse of the information is relatively low. Despite that, Susquehanna did offer those affected free credit monitoring services for a year.