Accidental Transmission of PHI Causes Two Healthcare Data Breaches

Two data breaches have been reported which have been caused as a result of the accidental transmission of PHI, following simple errors made when sending data to vendors. Both incidents show how easy it is to breach HIPAA Rules covering the transmission of data, and how important it is to conduct staff training and instill a culture of data security compliance.

Nephropath Email Error Impacts 1,260 Patients

The first error concerns an email sent to a vendor. In this privacy breach, an employee of Nephropath (Nephropathology Associates) sent an email to a vendor containing de-identified patient data. The de-identified data were required by the vendor in order to conduct work duties as contracted. The transmission of data was via unencrypted email. Since the data was de-identified before it was sent, and there was no way of identifying patients, no HIPAA Rules were violated.

However, the employee sending the email accidentally attached a file containing the Protected Health Information of 1,260 patients, which did breach HIPAA Rules. In this instance, the recipient of the email was correct, but PHI was not required. It would appear that the email was not intercepted, and the recipient agreed to permanently delete the data. Nephropath confirmed that this was the case, and the vendor also reported that the information was at no point disclosed to any third party.

The PHI transmitted included patient names and ages, referring physician names, pathology diagnosis and Nephropath accession numbers. No Social Security numbers, insurance information or other highly sensitive data were contained in the email. The patients affected by the incident had used Nephropath’s services between 2000 and 2008.

In response to the privacy breach, Nephropath will be conducting further staff training in an effort to make sure that similar incidents do not occur in the future.

Jackson Memorial Hospital Data Breach – Faxing Error Exposes 150 Patient Records

The second incident was suffered by a Florida Department of Health’s Children’s Medical Services’ facility in Miami Dade county. In this privacy breach, the personal information of 150 individuals was accidentally faxed to four vendors who were contracted to provide services to CMS-Miami Orthopedic Clinic at Jackson Memorial Hospital.

A member of staff sent a clinic roster to each of the four vendors by fax. The roster contained patient names, membership numbers and dates of birth. No highly sensitive information was detailed on the fax, and all four vendors agreed to permanently and securely dispose of the faxed document.

In this instance, the transmission of PHI occurred without patient authorization, which breaches HIPAA Rules. In order to prevent similar privacy breaches, staff will receive further training on patient privacy rules.

Policies Should be Introduced to Prevent the Accidental Transmission of PHI

In both incidents, only a very limited amount of data was exposed, and patients are not believed to be at risk of suffering harm or losses as a result of the breaches. In accordance with HIPAA Rules, they have been advised of the privacy breaches by mail. The Department of Health and Human Services’ Office for Civil Rights has been informed of the Nephropath data breach. Under HIPAA Rules, small data breaches involving the disclosure of fewer than 150 individuals’ PHI do not need to be reported immediately. In the latter breach, the OCR will be notified before March 1, 2016 in accordance with the HIPAA Breach Notification Rule.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of