Dignity Health accidentally exposes nearly 56,000 patients' data in email gaffe

California-based health care facilities operator Dignity Health accidentally exposed the personal data of nearly 56,000 patients in an email gaffe, according to a recent disclosure filed with the US Department of Health and Human Services on May 31. Moreover, the healthcare service also suffered two other breach incidents in recent months as well.

What happened?

Dignity Health said an email list formatted by third-party business associate Healthgrades contained a sorting error that caused the company to inadvertently send emails to the wrong patients in April 2018, informing them of a new appointment scheduling tool. Each misdirected email was sent to only one person, the company noted.

What type of information was compromised?

The emails contained the wrong patient's name and, in some cases, his or her physician's name as well. No other information such as financial, insurance or medical details was included in the email, Dignity Health said.

How many victims were affected?

Approximately 55,947 patients were impacted.

What was Dignity Health's response?

Dignity Health and Healthgrades launched an investigation after learning of the incident on April 25, notified affected patients and "corrected the problem" by "putting appropriate steps in place so that it will not happen again."

"All of us at Dignity Health and Healthgrades take our responsibility to protect patients’ personal and medical information very seriously. We sincerely regret that this error happened and any concern or confusion it may have caused," the firm said in a statement.

More breaches disclosed

Dignity Health disclosed two other separate breach incidents as well, DataBreaches.Net reported. In a statement on their website, Dignity Health St. Joseph's Hospital and Medical Center in Arizona suffered a breach after a hospital employee viewed portions of 229 patient medical records "without a business reason to do so." The breach reportedly occurred between October 13, 2017 and March 29, 2018.

The employee possibly viewed a trove of personal and medical data including names, dates of birth, clinical data such as doctors' or nurses' notes and diagnostic information.

"Because the information viewed did not include Social Security, billing or credit card information, the hospital has no reason to believe these patients need to take any action to protect themselves against identity theft," Dignity Health said. "Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients. Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event."

Patients affected by this breach were notified by mail.

On May 10, Digital Health filed additional disclosures with the HHS reporting three of its Nevada hospitals accidentally continued to send court-related health documents containing patient information to a third-party contractor, even after their contact had expired. Dignity Health St. Rose Dominican Hospitals in San Martin, Siena and DeLima were impacted in the breach, involving a total of 6016 patients. The contract was reportedly later renewed.