Friday, December 4, 2015

WakeMed again in the HIPAA Hot Seat

While I previously have taken down a post at the request of WakeMed I felt that I had to report this one. As reported on WRAL:

WRAL in North Carolina reports:
A Cary law firm has filed a motion against WakeMed, accusing the hospital of releasing patients’ private information, including Social Security numbers, making them susceptible to identity theft.
Cort Walker, a bankruptcy and civil business litigation attorney at Sasser Law Firm, said he noticed a problem while reviewing records WakeMed had filed to collect debts from former patients who had declared bankruptcy.
[…]
The law firm says it found 158 cases involving its clients dating back to 2013 where WakeMed violated federal bankruptcy code by including Social Security numbers, full dates of birth and medical records.
Read more on WRAL.

As they note in their report, and as noted in the motion for contempt, sanctions, and damages,  Duke University Health System had a similar situation three years ago. I had covered that breach at the time, and noted that it had been reported to HHS as a HIPAA breach. WakeMed will almost certainly report their incident to HHS, although depending on how many patients, total, have had their PHI exposed,  we may not see it in the public breach tool.

Like most HIPAA-covered entities, WakeMed has been noted on this site before. Most recently, in 2014, this site noted reports by SLC Security that WakeMed was leaking patient PHI and they had reached out to them and spoken to them, but the leaks persisted, and WakeMed did not respond to attempts by SLC Security or this site to alert them and get a response from them.  It is not known to this site whether WakeMed ever reported the alleged leaks to HHS, but there is no entry in HHS’s public breach tool.
Credit to DataBreaches.net for the heads up on this one. 
Previously we reported on a problem with communications from the EPIC system that is even more troubling. This entity continues to have issues. Maybe they should hire us to do a full assessment?

No comments:

Post a Comment