Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year

A sorting error affected nearly 56,000 California patients after misaddressed emails containing sensitive information were sent to incorrect patients.

by Catherine Ho, San Francisco Chronicle / June 13, 2018

(TNS) — Federal health officials are investigating an April data breach that affected 55,947 patients of Dignity Health, a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers in California, Nevada and Arizona.

The breach occurred April 24 and was reported to the U.S. Department of Health and Human Services on May 31. It was the third-largest data breach, by number of affected patients, reported to the federal health agency that month. The incident is being reviewed by the department’s Office for Civil Rights, which investigates breaches of protected health information that affect at least 500 people. The office did not return a request for comment Tuesday.

Dignity said the problem originated from an email list formatted by one of its vendors, the online appointment scheduling site Healthgrades, which contained a sorting error. The error resulted in Dignity inadvertently sending misaddressed emails to patients which contained the wrong patient’s name and, in some cases, the patient’s doctor’s name. Each misaddressed email was sent to one person.

The emails did not include financial, insurance or medical information, according to Dignity. Dignity and Healthgrades have notified the affected patients, the companies said. The error has been corrected and the companies are taking steps to prevent it from happening again, they said.

“All of us at Dignity Health and Healthgrades take our responsibility to protect patients’ personal and medical information very seriously,” Dignity said in a statement. “We sincerely regret that this error happened and any concern or confusion it may have caused.”

A spokeswoman for Healthgrades, based in Denver, did not immediately return a request for comment. On its website, the company says it helps millions of consumers find and schedule appointments, and it partners with more than 500 hospitals across the United States. It is unclear whether the same email error has affected patients at providers other than Dignity.

Dignity patients with concerns or questions can call 877-802-1959.

In a separate incident disclosed to the Department of Health and Human Services on May 10, three Dignity hospitals in Nevada reported a breach affecting a combined 6,036 patients. In that incident, Dignity mistakenly continued to share private medical information about patients with a third-party contractor after it had terminated its contract with the company.

©2018 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.