Ohio health officials are notifying 59,000 state residents that they were inadvertently identified as behavioral-health patients in mailed correspondence, resulting in a breach of protected health information.
In February, the Ohio Department of Mental Health & Addiction Services sent postcards to former patients that read "Your Consumer Voice," strongly inferring that the recipient had used the agency's services.
The agency received a complaint from a woman whose son received one of the 10,000 cards inviting patients to take an online survey. It was the only complaint, according to agency spokesman Eric Wandersleben.
“If that card fell into someone's hands and they were to check out the survey link, you could make the connection as someone receiving services in our system,” Wandersleben said. “Obviously, (the postcards) should have been in an envelope.”
The agency took the complaint seriously, he said, notifying the feds, informing the patients, reviewing agency privacy policies, reprimanding (but not discharging) the individual deemed most responsible, and providing employees in its research division with a “deeper dive” into relevant data privacy laws, he said.
The agency has been conducting the surveys—without any previous patient complaints—as part of a quality improvement program, aiming to gauge individuals' treatment experiences and to gather data for a federal grant, he said.
Thus far in the U.S., the medical records of more than 158 million individuals have been exposed in 1,540 data breaches involving 500 or more individuals' records reported to the HHS' Office for Civil Rights and posted on its “wall of shame” website. Many thousands more records have been reported as compromised in tens of thousands of lesser breaches, according to the OCR.
Information-technology security experts predict 2016 could be worse for healthcare data breaches than 2015, the worst year since the OCR began publicly tracking them in 2009. And government healthcare agencies have not been immune.
In February, federal authorities notified officials at the Florida Department of Health in Palm Beach County that confidential information on about 1,000 of the county agency's patients had been breached.
