In this case study, our HIPAA experts review threats and breaches. In May of 2012, a HIPAA covered entity notified the California Department of Social Services (CDSS) that personal information for more than 700,000 homecare providers and recipients was lost in the mail. The entity, which handles the payroll data for workers in California’s In-Home Supportive Services program, shipped information including Social Security numbers to another office which arrived damaged and incomplete.
“It’s hard for us to believe that in one of the largest states in the union, we’re using such an antiquated system,” said Steve Mehlman, a spokesperson for a labor union representing homecare workers. “It clearly needs to be modified.”
The packages mailed on April 26th and it arrived at the Riverside Office on May 1st. The state was notified a week later, according to a post on a state website.
Do you know how to identify a potential threat
or know what to do if you've had a breach?
If you are not 100 precent sure, read Dexcomm's
free eBook HIPAA Threats and Breaches.
Oscar Ramirez, a spokesman for the CDSS, said that notices would be sent to everyone who might have been affected, and officials are reviewing policies to prevent future issues.
In an article in the Los Angeles Times, Ramirez said, “We’re going to look at this and get to the bottom of it.”
The missing information contained Social Security numbers as well as state identification numbers.
“While we continue to investigate, at this time we can’t confirm whether the information was damaged, lost or stolen,” said an internal government email obtained by the Los Angeles Times.
The incident should be a wake-up call for all organizations mailing and transporting sensitive information. Management should review the processes and ensure that they are secure and not outdated. Incorporating HIPAA as a training requirement for your staff should help mitigate the risks involved. There are many online training courses available.
Additionally, organizations should have a plan of action in case of a breach. The plan should contain information on the proper parties to contact as well as how to communicate to those affected by the breach. HIPAA violations are expensive - penalties can range from $100 to $50,000. Being prepared can help minimize the damage and help retain the integrity of your organization. The privacy and security of your patients should always be a top priority for your organization.
Case Study Sources: