Editor's Corner: HIE breach raises new, unanticipated questions

Marla Hirsch

Yet again a tree fell down in the health IT forest and it didn’t make a sound.

But it should. One of the worst fears about health IT has been realized, and it’s probably just the tip of the iceberg.

Boston-based Codman Square Health Center reported to the Department of Health and Human Services last month that an employee of an outside vendor obtained unauthorized access to the health information exchange (HIE) in which Codman participates by using an employee’s access credentials, HealthcareInfoSecurity.com reported recently. The HIE, New England Healthcare Exchange Network (NEHEN), serves providers and plans throughout the region. Codman acknowledges on its website that the information accessed included names, addresses, dates of birth, gender, medical services, payer information, insurance information and possibly Social Security numbers. In other words, yet another major breach.

But this one is potentially more significant than our garden-variety breaches and deserves more attention than what it has received--because of the nature of the breach itself.

Most discussions about the vulnerability of patient data held by an HIE relate to the actions of the HIE as a business associate under HIPAA to the covered entities supplying the information, which the HIE handles on their behalf.  The concern is that the business associate makes an error, causing the breach and exposing the records.

That's not what happened here. NEHEN’s records were compromised by a third party, evidently in cahoots with or taking advantage of at least one employee of one of the covered entities providing records to NEHEN. Ouch.

But it gets worse.

Had the breach been limited to Codman’s own patients, it would have affected only 140 people. The vendor here also impermissibly accessed the records of 4,000 other patients in the HIE, a huge difference, and one that catapulted the breach into higher-stakes, HHS-Wall-of-Shame territory.

Then there’s the problem of how to comply with HIPAA’s breach notification requirements. HIPAA requires a covered entity to notify affected patients of a breach of their health information, and provides various alternative methods to do so. However, the law contemplates that since they are the entity’s patients, that the entity has some patient contact information in the record, even if it isn’t current. At least it’s a starting point.

Codman doesn’t have that luxury. It doesn’t have all patient contact information, since most of the affected patients aren’t Codman’s. Codman itself states that “ All patients of Codman Square Health Center who are affected will be notified by mail. ... For affected individuals who are not Codman patients, those directly affected will be notified by mail if contact information is provided.” 

That means that patients may never know that they were victims of this breach.

Moreover, this incident raises a host of more disturbing questions:

These questions--and their answers--need much more attention. - Marla (@MarlaHirsch and @FierceHealthIT)