Several recent PHI-related news items, including two that were commented upon by Michael Kline in this blog series in his posts dated June 27, 2011 (regarding Google Health’s announced shut down) and July 3, 2011 (regarding the Spartanburg (S.C.) Regional Health System PHI security breach), and one that was described by Bill Maruca in a post dated June 22, 2011 (regarding the safety of “cloud-based” data storage systems), share a common feature – they underscore our need to trust the keepers of our PHI. We need to trust that, whether PHI is in the cloud or on a server, in a thumb drive or on a hard drive, only those who have a right and a need to access it can and will do so.
A recent petition (“Petition”), filed as a putative class action in federal court in St. Louis, Missouri against The Siteman Cancer Center at Barnes Jewish Center (“Siteman”) and the Washington University (St. Louis) School of Medicine provides an example of insult adding to injury when the trust in our PHI-keeper is broken. Mistakes may happen, but trust is really breached when the mistakes that involve PHI are not admitted and addressed immediately.
The Petition alleges that, sometime over the weekend of December 4, 2010, “an unencrypted laptop computer,” which contained the PHI of “hundreds of cancer patients,” was stolen from Siteman’s Gynecological Treatment Center. While the exact number of individuals affected is not identified in the Petition, there has been no posting of the breach in the list maintained on the U.S. Department of Health and Human Services Web site respecting breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). This suggests that fewer than 500 individuals were affected.
According to the Petition, Siteman did provide notice to affected individuals – but, based on allegations in the Petition, the notice was too little and too late. The Petition contends that Siteman knew about the stolen laptop immediately after the December 4, 2010 weekend, but did not notify affected individuals until it sent out a letter dated January 28, 2011. Adding apparent insult to this delayed notice of injury, the Petition asserts that Siteman also “downplayed the seriousness of the security breach” and failed to include complete information about (and thus “misrepresented”) the type of information that was stolen.
In blogging about the Spartanburg breach, Michael writes, “[i]t is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media coverage when the posting on the HHS List takes place one to three months later.” I find it similarly perplexing that a hospital, such as Siteman, might choose to withhold disclosure of the extent of an especially sensitive PHI security breach, particularly when the disclosure is being made directly to the potentially affected individuals. Failure to disclose promptly and accurately the nature and extent of a breach not only erodes patient trust, but also increases the likelihood of a “second round” of patient harm and ensuing litigation.