On May 31, 2018, Dignity Health submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in San Francisco, California, Dignity Health's email breach affected 55,947 individuals’ protected health information. Dignity Health is classified as a Healthcare Provider. According to Dignity Health’s statement:
In a Dignity Health statement emailed to HealthITSecurity.com, the healthcare provider explained that an email list formatted by its business associate Healthgrades contained a sorting error that resulted in misaddressed emails being sent to a group of patients about an online appointment scheduling tool. The misdirected email contained the wrong patient’s name and his or her physician’s name. Each misdirected email was sent to only one person, the statement said. In addition, Dignity Health informed OCR on May 10 that personal information on 6,036 patients at three of its St. Rose Dominican Hospitals in Nevada may have been disclosed. According to DataBreach.net, the hospitals provided court-related health documents containing PHI to a local vendor even though the hospitals’ contract with the vendor had expired. The report also noted that Dignity Health St. Joseph’s Hospital and Medical Center in Arizona announced that a hospital employee viewed portions of 229 patient medical records between Oct. 13, 2017, and March 29, 2018, without a business reason to do so.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.