HospitalInspections.org

Based on interview and record review the hospitals governing body was not effective at ensuring the integrity, privacy, and oversight for the personal health information of it's patients. There was a lack of communication between the departments using patient data for quality projects and the departments responsible for oversight of the patient data and servers the data was stored on. This resulted in patient data for 32,500 patients being exposed to a popular search engine. The exposure went undetected by the facility and continued for 14 months before discovery.

Findings:

1. The Governing Body did not ensure contracted services were performed in a matter that maintained the safety of patient medical information. Refer to A0084.

2. The Governing Body did not protect the integrity and security of all electronic medical records. Refer to A0438

3. The Governing Body had not developed, implemented and maintained effective oversight of electronic patient health information used in their QUAPI projects. Electronic medical records for 32,500 patients were accessible to a well known search engine, from October 2012 to December 2013. Refer to A 308.

Based on interview and record review the governing body failed to provide oversight for a contracted service as it related to ensuring the integrity and privacy of patient information for a time period between October 2012 to December 2013 involving patient information for 32,500.

Findings:

The facility had an ongoing quality project involving the abstraction of patient data from their perioperative files and admission transfer and discharge files. The data was merged into a single file to be electronically sent to a third party (Party B) for participation in a National Quality Improvement benchmarking system for comparative purposes with hospitals throughout the United States.

The facility hired another third party (Party A) to develop a software product that would convert the patient data into a format that was readable to Party B. Party A worked with the facility's project manager (PM1) and would periodically enter the system to assist the facility with troubleshooting format and conversion of data for delivery to Party B.

Administrative staff were interviewed on 1/22 and again on 1/23/14. According to administrative staff the above quality program was started some years ago and initiated by a previous staff physician in a quality position in the surgical area. Staff were unclear what the previous staff physician's title was. The initial contract with Party A was signed by a facility staff member in the informational operations department. Executive management shared that since that time all contracts go through executive staff and require two signatures.

During discussions with the informational operations staff on 1/22/14 it was clear they were unaware of how Party A was accessing server X (the dedicated server for the quality program and patient data storage). Informational staff believed PM 1 was giving Party A remote access to Server X. During an interview with PM 1 and informational staff on 1/23/14, PM 1 shared he would call Party A whenever he needed changes or reformatting of the data for Party B. PM 1 stated he had no authority to grant access to Party A and wasn't sure who was responsible for that. After some phone calls, informational staff found Party A was assigned a password through the human resources department (HR) of the facility. At that point the HR person on the other end of the phone stated Party A still had access via a password and had last attempted to access Server X on December 2, 2013 but the server was taken out of service. The facility stated Party A was on a strictly time and materials contract and provided statements for each time Party A accessed the server. However, there was no time and materials billed on December 2, 2013 and no request for service. The facility was unsure what the reason for attempted access on December 2 was and why Party A still had a password.

Informational operations staff shared the significance of Server X as an "outbound" server, stating it is necessary to have outbound servers. An example would be the facility's local web site. In that case the facility would want the general public to be able to access information about the facility, physicians on staff and any forms on line the facility may provide as a service to the general public. The facility has over 200 servers and 37 are outbound (36 since Server X was taken out of service on 12/2/13).

During a review of audit reports on the hospital servers provided by the facility, Server X was identified as outbound noting: Impact: "An attacker might learn about your computer and network to help with a future attack". Solution: "Disable Anonymous FTP (file transfer protocol) or set a password for it". This message, according to IT staff indicated someone had entered Server X and left the Server exposed upon exit. The analogy given was much like that of leaving your key for someone, they enter your house, and when they leave they forget to lock the door.

The facility contracted Party C for oversight and assistance with their informational technology, a staff member (IT 1) from Party C was present for the interviews. According to IT 1, if he knew the purpose of Server X, and the fact it held personal health information (PHI), the above Impact message from the report would have been a red flag and he would have taken action immediately.

IT 1 shared the identification of servers,their purpose and data stored is the responsibility of the facility.

Hospital Informational operations staff (IOS)shared the reports they receive on their servers are extensive, greater than 400 pages. The software package they purchased for the reports delineates which things are to be considered a priority and starts with red flags, yellow flags, green, and then "informational" data. IOS staff shared the informational data is a "sewer of information" and they usually just concentrate on the red, yellow and green items. the software program identifying Server X as at risk had been doing so since July 2013, which was when it was purchased by the facility.

The facility policy entitled Computer System User ID and Password Management, last revised 3/2009 was reviewed. According to the policy goals the facility is to " Define the security measures established to ensure the security, integrity and confidentiality of data contained in electronic systems at (the facility.) " According to the policy entitled Information Security Program, " Information security program objective include preventing the misuse, loss, or unauthorized disclosure of clinical or business information, establishing individual security responsibilities for the generation, handling, servicing, and use of (the facility) information and establishing a basis for auditing and compliance. "

The facility failed to provide a process for oversight of outbound servers. In particular, Server X, which was a dedicated outbound server for a project which contained patient personal health information.

While the facility had purchased a software program to routinely audit all the servers, the people responsible for reviewing the audit reports the software program generated were unaware of what kind of data was in the outbound servers, hence the priority for oversight was difficult to establish. Consequently the audit reports continually generated a warning that Server X was at risk, but because Server X wasn ' t listed as a priority to anyone the warning was ignored for over 6 months. The software program was only in existence at the facility for the 6 month period. Server X had been outbound and accessible to the public for approximately 14 months.

Based on interview and record the hospitals Quality Assurance and Performance Improvement (QAPI) program was not effective in identifying the potential for access to sensitive patient data to the public. The hospital failed to provide oversight for quality programs they were involved with which integrated third party vendors with access to the hospitals patient data. This oversight spanned a time period from October 2012 to December 2013 involving patient information for 32,500.

Findings:

The facility had an ongoing quality project involving the abstraction of patient data from their perioperative files and admission transfer and discharge files. The data was merged into a single file to be electronically sent to a third party (Party B) for participation in a National Quality Improvement benchmarking system for comparative purposes with hospitals throughout the United States.

The facility hired another third party (Party A) to develop a software product that would convert the patient data into a format that was readable to Party B. Party A worked with the facility's project manager (PM1) and would periodically enter the system to assist the facility with troubleshooting format and conversion of data for delivery to Party B.

Administrative staff were interviewed on 1/22 and again on 1/23/14. According to administrative staff the above quality program was started some years ago and initiated by a previous staff physician in a quality position in the surgical area. Staff were unclear what the previous staff physician's title was. The initial contract with Party A was signed by a facility staff member in the informational operations department. Executive management shared that since that time all contracts go through executive staff and require two signatures.

During discussions with the informational operations staff on 1/22/14 it was clear they were unaware of how Party A was accessing server X (the dedicated server for the quality program and patient data storage). Informational staff believed PM 1 was giving Party A remote access to Server X. During an interview with PM 1 and informational staff on 1/23/14, PM 1 shared he would call Party A whenever he needed changes or reformatting of the data for Party B. PM 1 stated he had no authority to grant access to Party A and wasn't sure who was responsible for that. After some phone calls, informational staff found Party A was assigned a password through the human resources department (HR) of the facility. At that point the HR person on the other end of the phone stated Party A still had access via a password and had last attempted to access Server X on December 2, 2013, but the server had been taken out of service. The facility stated Party A was on a strictly time and materials contract and provided statements for each time Party A accessed the server. However, there was no time and materials billed on December 2, 2013. The facility was unsure what the reason for attempted access on December 2 was and why Party A still had a password.

Informational operations staff shared the significance of Server X as an "outbound" server, stating it is necessary to have outbound servers. An example would be the facility's local web site. In that case the facility would want the general public to be able to access information about the facility, physicians on staff and any forms on line the facility may provide as a service to the general public. The facility has over 200 servers and 37 are outbound (36 since Server X was taken out of service in December 2013).

During a review of audit reports on the hospital servers provided by the facility, Server X was identified as outbound noting: Impact: "An attacker might learn about your computer and network to help with a future attack". Solution: "Disable Anonymous FTP (file transfer protocol) or set a password for it". This message, according to IT staff indicated someone had entered Server X and left the Server exposed upon exit. The analogy given was much like that of leaving your key for someone, they enter your house, and when they leave they forget to lock the door.

The facility contracted Party C for oversight and assistance with their informational technology, a staff member (IT 1 ) from Party C was present for the interviews. According to IT 1, if he knew the purpose of Server X, and the fact it held personal health information, the message from the report would have been a red flag and he would have taken action immediately.

IT 1 shared the identification of servers and their purpose is the responsibility of the facility.

Informational operations staff (IOS)shared the reports they receive on their servers are extensive, greater than 400 pages. The software package they purchased for the reports delineates which things are considered a priority and starts with red flags, yellow flags, green, and then "informational" data. IOS staff shared the informational data is "A sewer of information" and they usually just concentrate on the red, yellow and green items. The software program identifying server X as at risk had been doing so since July 2013, which was when the software program was initially purchased by the facility.

The facility administrative staff shared they were concerned an outside vendor (OV) had accessed Server X and left the Server unsecured or vulnerable to attack from outside sources (in this case a well known search engine). According to administrative staff they had sequestered Server X for a forensic investigation in December of 2013, the investigation had not yet been started as of our survey. During interviews on 1/23/14 with administrative staff it was discovered the OV the facility had suspected of leaving Server X unsecured still had a password and had last attempted to access Server X on Dec 2, 2013.

The facility failed to provide a process for oversight of outbound servers containing patient PHI. While the facility had a software program routinely auditing the servers, the people responsible for reviewing the audit reports the software program generated were unaware of what kind of data was in the outbound servers. The priority for oversight wasn't established by the facility. The messages indicating Server X was vulnerable to attack were being generated for 6 months before the facility was made aware by an outside anonymous source that patient PHI from their facility and their two sister facilities was available to the general public by way of a well known search engine.

Based on interview and record review the facility failed to provide for the security of patient electronic medical records involving 32,500 patients for a time period of 14 months.

Findings:

1. The facility failed to ensure the integrity and protect the security of all electronically entered patient data. Refer to A0438

2. The facility did not have a fail safe method to ensure patient information was only released to authorized individuals. Refer to A0441

Based on interview and record review the facility failed to ensure the integrity and protect the security of all electronically entered patient data into one of its servers housed at the facility for 32,500 patients seen in the facility and its sister facility between October 2012 to December 2013.

Findings:

The facility had an ongoing quality project involving the abstraction of patient data from their perioperative files and admission transfer and discharge files. The data was merged into a single file to be electronically sent to a third party (Party B) for participation in a National Quality Improvement benchmarking system for comparative purposes with hospitals throughout the United States.

The facility hired another third party (Party A) to develop a software product that would convert the patient data into a format that was readable to Party B. Party A worked with the facility's project manager (PM1) and would periodically enter the system to assist the facility with troubleshooting format and conversion of data for delivery to Party B.

There was a dedicated server (Server X) that was utilized for the Quality project. According to the facility at some point, and they were estimating sometime in October of 2012, someone entered the dedicated server X where the patient data was stored and left the server unsecured. Consequently, the server was accessed by an Internet search engine, and patient data was accessible to the general public.

The patient data abstracted included name, address, date of birth, medical record number and account number, and health information to include diagnoses, lab results and procedures performed for patients seen at the facility and the facility's two sister hospitals. The time frame was from October of 2012 to December of 2013 and involved 32,500 patients according to administrative staff.

The facility policy and procedure entitled Universal Confidentiality of Information last revised February 2012 and last reviewed February 2012 was provided by the facility. According to the policy the facility is to " Protect confidential and proprietary information from unauthorized disclosure, and ensure that adequate safeguards are in place to avoid theft or unauthorized use of this information. Confidential and proprietary information may be verbal, written, electronic or personal observation. "

The policy entitled Medical Records-Privacy and Security of Protected health Information and Medical Records last revised June 2003 and last reviewed December 2011 was provided by the facility. According to the policy " All patient-specific health information, henceforth referred to as protected health information (PHI), is confidential and available to authorized and verified users and requestor only. PHI is any information that specifically identifies a patient, including but not limited to the following: Name, dates (birth admit, discharge) address, medical record number, account number .... " The policy further stipulates " PHI is limited to those who have a need to know the information in order to provide treatment, payment and/or conduct healthcare operations. Releasing any of this information, whether verbal, written, or electronic, for other than permissible purposes is a violation of privacy regulations "

Administrative staff were interviewed on 1/23/14. Administrative staff shared they had a software program running audits on the servers. Server X was recognized as being at risk, however, the reports were " extensive " in nature and held over 400 pages of " informational data " . Retrospectively the warnings the reports were showing would have been a red flag to IT staff but were lost on page 106 of a 400 page report. the facility could not provide a clear answer as to why Server X wasn't placed higher on the priority list since it was a dedicated outbound server containing patient personal health information.

Based on interview and record review the facility failed to obtain consent from one (Patient 23) of eighteen closed records reviewed for confidential information to be used by a third party vendor (company A). This failure allowed Patient 23's confidential information to be shared with company A without consent or knowledge.

Findings:

Interviews with facility administrative staff on 1/22/14 at 10:00 a.m. revealed that the facility was made aware on 12/2/13 that Party A appeared to have removed electronic security protections from one of the facility's servers (Server X) allowing the confidential information of approximately 32,500 patients (including Patient 23) to be accessed by unauthorized individuals,. The facility provided samples on 1/22/14 of patient names and information that were available on the Internet. A review of 18 randomly selected closed records from this sample was completed on 1/23/14 from 9:34 a.m. to 2:00 pm. Interview with administrative medical record staff on 1/22/14 at 11:00 a.m. revealed that they had no oversight in the preparation or protection of this confidential information sent to Party A.

Interview and concurrent review of the facility form CONDITIONS OF SERVICE on 1/23/14 at 2:00 p.m. with administrative staff revealed when a patient signs this form they consent to send their confidential information to multiple third party vendors. Further interview revealed this form is completed on admission of all patients and should be in the medical record.

Review of 18 closed records completed on 1/23/14 at 2:00 p.m. revealed that one (Patient 23) of eighteen records did not contain a signed CONDITIONS OF SERVICE form. Interview with administrative staff on 1/23/14 at 2:30 p.m. confirmed that a signed CONDITIONS OF SERVICE form was not found in the Patient 23's record.