HIPAA Breach Compromised Data from 187,533 Patients

By ThinkReliability Staff

On July 1, 2013, 187,533 clients of the Indiana Family and Social Security Agency (FSSA) were notified that their medical and financial information may have been accidentally sent to other clients.  Of these, nearly 4,000 may have had their social security numbers disclosed.  Not only is this a breach of the Healthcare Insurance Portability and Accountability Act (HIPAA), it can potentially result in identity theft for those patients affected.

There’s more to this case than initially meets the eye, and many open questions.  We can get our bearings around what is known and what is as yet unknown that may have resulted in issues for patients and the agency involved by capturing the information within a Cause Map, or visual root cause analysis.  Doing so for events that occur can increase Healthcare reliability by delving deeper into related causes, leading to better solutions.

The first step when beginning an investigation is to capture the what, when and where of an incident as well as the impacts to the goals.  If more than one date is relevant, it may be helpful to capture it in a timeline.  In this case, the error was introduced on April 6, 2013.  The error was fixed (at which point the data breach ended) on May 21, 2013.  However, clients were not notified of the potential breach until July 1, 2013.

The impacts to the organization’s goals are those things that prevent an organization from having a perfect day.  In this case, nobody was injured and it’s unclear if there was an impact to employees.  The compliance goal was impacted due to the HIPAA breach.  The organization is impacted because of the breach of patient trust.  Patient services were impacted due to compromised confidential patient information and the potential for identity theft.

We begin with one of the impacts to the goals and ask “Why” questions to develop the cause-and-effect  relationships that led to the impact.  In this case, identity theft is a potential issue because of the compromised patient and financial information, especially social security numbers.  However, the longer the period between the potential breach and when patients are notified, the greater the risk for identity theft.  In this case, from the date that the programming error was incorporated into the system until the patients were notified of the breach was 86 days.  Of this, 34 days elapsed before the error was noticed, but there has been no explanation for the additional 52 days before the notification.  Because the speed of the notification is so important, the “why” here should be addressed in the Cause Map and solutions developed to ensure a speedier notification system in the case of another breach.

We can also ask additional “why” questions to determine how the breach happened in the first place.  Clients were sent confidential health and financial information belonging to other clients.  Though details are sparse, an improperly used variable resulted in an error in the customized coding provided by a contractor to the agency.  How the error made it in – and why it wasn’t found by either the contractor or the agency involved – is unclear.  These are questions that need to be answered during the root cause analysis to reduce the risk of this kind of issue happening again.

The potentially compromising mailing continued for 45 days, increasing the number of people impacted.  (The agency says that because of the way the mailings are done, they have no way to know whose information was actually sent out.)  Of these 45 days, it took 34 days to notice the error.  (How the error was noticed is also not clear but is additional information that should be included in the analysis.)  After the error was discovered, the mailings apparently continued while the error was being fixed for 11 days.  This is yet another line of inquiry to be undertaken during the analysis.  Ideally solutions will help to implement fixes faster – and make sure that breaches don’t continue when a system is known to be working improperly.

In a letter sent to the clients potentially affected, the FSSA stated that the contractor who provides the programming “also is taking steps to improve their computer programming and testing processes to prevent similar errors from occurring in the future.”   While this is certainly necessary, the FSSA should also be looking at their own processes for verifying contractor work and notifying clients in the case of a data breach.

To view the Outline and Cause Map, please click “Download PDF” above