LuckyStep - stock.adobe.com

VCU Health Notifies Patients of Transplant Donor, Recipient PHI Data Breach

VCU Health, Phoenixville Hospital, and Family Practice Centers all reported PHI data breaches recently.

Transplant donor records were available to transplant recipients at Virginia Commonwealth University Health System (VCU Health) as early as January 2006, the health system informed patients recently. The incident impacted 4,441 donors and recipients.

In February 2022, VCU Health discovered that a limited amount of protected health information (PHI) belonging to transplant donors was contained in the medical records of transplant recipients. The health system later learned that some transplant recipient information was also contained in the medical records of transplant donors.

“This information may have been viewable to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal,” a notice on VCU Health’s website stated.

“Additionally, this information may have been released in response to a release of information request made at the request of, or on behalf of, the recipient and/or donor.”

The exposed information potentially included names, lab results, Social Security numbers, dates of services, birth dates, and medical record numbers. VCU Health said that it “promptly resolved the issue” upon discovery and began to review the way donor and recipient information is recorded at the health system.

“VCU Health is committed to maintaining the privacy of information pertaining to our patients and has taken many precautions to safeguard it,” the notice concluded.

“VCU Health continually evaluates and modifies its practices to enhance the security and privacy of patients’ information, including the education and counseling of our workforce regarding patient privacy matters.”

Phoenixville Hospital Suffers Unauthorized EMR Access By Employee

Phoenixville Hospital began notifying impacted individuals of an incident in which a hospital employee accessed and viewed the electronic medical records of a patient on May 1, 2022, without an apparent business reason. Further investigation revealed that the same employee had accessed additional Phoenixville Hospital EMRs between October 2021 and May 2021.

The information potentially included names, birth dates, dates of encounter, diagnoses, addresses, provider notes, medications, test results, vital signs, and some partial Social Security numbers and identification numbers.

“Phoenixville Hospital takes its responsibility to safeguard personal and protected health information very seriously. The employee was immediately suspended and was subsequently terminated,” the notice stated.

“Phoenixville Hospital has provided additional training to members of its workforce regarding the appropriate access of patient information. The hospital continues to provide ongoing mandatory HIPAA/privacy training to its workforce members regarding appropriate access, use, and disclosure of protected health information. The hospital is currently investigating potential improvements to its privacy monitoring tools and processes.”

Family Practice Center Discloses Security Incident

Family Practice Center (FPC), a large group of primary care physicians in Central Pennsylvania, disclosed a security incident that occurred in October 2021. FPC said that it suffered a failed attempt to shut down its computer operations.

The incident did not impact FPC’s ability to treat patients. In May 2022, FPC found that an unauthorized party potentially accessed files containing personal information during the attempted shutdown. The files contained names, addresses, health and treatment information, and medical insurance information, along with a small amount of Social Security numbers.

“FPC will be notifying potentially impacted individuals of this incident by letter,” the July 8 announcement stated.

“The letters include information about this incident and what steps those individuals who had their information exposed can take to monitor and protect their information.”

FPC said it had no evidence that any patient information was misused as a result of the incident.

Next Steps

Dig Deeper on Healthcare data breaches