[BreachExchange] Avoiding Breach Notification Blunders

Destry Winant destry at riskbasedsecurity.com
Wed Sep 11 10:25:35 EDT 2019


A mishap involving the mailing of breach notification letters has led
a Tennessee hospice to issue a "corrective" privacy breach

The incident is yet another example of why healthcare organizations
need to carefully scrutinize their breach response and notification

On Sept. 6, Alive Hospice in Nashville, Tennessee, issued a
"corrective" breach notification statement explaining that an earlier
letter in July to notify individuals and next of kin affected by a May
phishing incident had gone awry.

"On July 3, Alive Hospice undertook a mailing of notification letters
to individuals potentially affected by a recent data privacy
incident," notes the Sept. 6 statement from Alive. "On or about July
9, Alive learned that an error occurred in the address export process
for the mailing, which resulted in the notification letters being
addressed to the incorrect recipient."

Alive Hospice says it "immediately took steps to correct the address
error" and then mailed a corrective letter to all recipients of the
July 3 mailing. "This subsequent notice included a statement
explaining the issue with the prior mailing," the hospice says.

The initial notification letters did not include any reference to
treatment provided or to protected health or patient information,
Alive says. "The letters included the incorrect recipient's name and
referenced Alive Hospice as the entity making the notification."

A Second Breach?

But some regulatory experts dispute Alive's contention that the
incorrect recipient's name included in the original mailings isn't

"In all probability, this would constitute a separate breach," says
Rich Curtiss, director of healthcare risk assurance services at
security consulting firm Coalfire. "Assuming the individual identified
in the notice is under hospice care and a name is provided in the
notice, that could meet the definition of PHI and criteria for an
unauthorized disclosure as defined by the Department Health and Human

Privacy attorney David Holtzman of the security consulting firm
CynergisTek offers a similar assessment.

"HHS' Office for Civil Rights could view the incident in which the
wrong individual was sent correspondence from the covered entity as a
reportable breach," he says.

The HIPAA Privacy Rule specifies that an individual's name maintained
in a covered entity's designated record set is PHI, he points out.

"In this case, where the organization used its letterhead stationery
on which it printed an individual's name about an earlier incident in
which PHI was disclosed, that in turn was disclosed to a third party,
the covered entity should employ its incident response policy to fully
investigate what caused the incident and mitigation steps to avoid a
repeat of a similar event."

As of Tuesday, the HHS' Office for Civil Rights' HIPAA Breach
Reporting Tool website that lists health data breaches affecting 500
or more individuals listed two recent incidents reported by Alive.
That includes a breach reported on July 3 impacting 608 individuals,
and a second breach reported on July 13 affecting nearly 1,900
individuals. Both are described as hacking/IT incidents involving

Alive did not immediately respond to Information Security Media
Group's requests for clarification about the two recent breach reports
to HHS.

Making Matters Worse

Mailing errors can make a messy situation far worse, as earlier
incidents have shown.

For example, the 2017 mailing mishap by a third-party firm cost health
insurer Aetna more than $20 million, including fines from several
state attorneys general and a class action lawsuit settlement (see
Aetna Fined Yet Again for Exposing HIV Information).

Aetna had a third party mail out letters to about 12,000 of its health
plan members in several states to inform them of the new options for
filling their HIV prescriptions. But the members' HIV drug information
was potentially visible through that mailing's envelopes, which had
transparent windows.

The reason that Aetna needed to send those 2017 letters was due to an
earlier privacy dispute. In 2014, Aetna settled a class action lawsuit
in which attorneys for plaintiffs argued that Aetna's policy at the
time that required filling HIV prescription drugs by mail order left
the privacy of patients' HIV status vulnerable to exposure to family,
neighbors and others (see Yet Another Twist in Messy Aetna Privacy
Breach Case).

Avoiding Mishaps

So how can organizations avoid breach notification blunders?

"Smaller covered entities such as long-term care, hospice care and
federally qualified health centers are typically not staffed with a
full-time, qualified HIPAA privacy and/or security officer," Curtiss

"Often, these are 'other duties as assigned.' It is critically
important that, irrespective of the size and budget of the
organization, the individuals responsible for HIPAA compliance are
trained and qualified to perform those functions necessary to protect
the patients and the organization. Checks and balances or separation
of duties are absolutely necessary to prevent PHI breaches, whether
electronic or physical."

Many breach response-related mishaps are easily preventable by
employing foundational concepts - such as quality assurance or "a
second set of eyes" - to ensure the process necessary for breach
reporting is thorough and accurate, Curtiss says.

"Extreme Caution"

Tom Walsh, president of tw-Security, notes that "extreme caution" must
be taken when an entity communicates about a breach to those whose
data was exposed. "You cannot un-ring a bell," he says.

Many organizations devote far more effort to the content of the
notification letter than to the delivery of the message, he notes.

"For example, a privacy officer will draft the notification letter and
run it by legal counsel," he says. "The mailing of the notifications
may be outsourced, so there may not be a formal review of a test batch
of letters prior to sending all of the letters."

Monitor Vendors

Susan Lucci, senior privacy and security consultant at tw-Security,
notes that organizations -such as Aetna - that rely on vendors' to
help with breach notifications must be mindful of their partners'

"Oversight and careful management of a vendor to alert them to the
differences in projects is essential to ensure missteps are not made,"
she says. "The philosophy of ongoing, regular communication and
maintaining a close working relationships with business associates is

Business associates essentially are an extension of the workforce of
an organization. Lucci notes. "That means the same level of education,
reminders, and alerts to changes in cybersecurity risks should be
shared regularly with business associates if security incidents and
breaches are to be avoided."

More information about the BreachExchange mailing list