Jackson Health System fined $2 million by the feds over stolen and lost patient records
The U.S. Department of Health and Human Services has fined Jackson Health System $2.15 million over three patient health information breaches, including missing boxes of paper records, an employee leaking information about an NFL player to an ESPN reporter, and another employee stealing and selling other records.
Jackson Health waived its right to a hearing, paid the penalty and did not contest the findings of the investigation, which was conducted by the agency’s Office of Civil Rights.
The health records are private under a 1996 federal law known as HIPAA, or the Health Insurance Portability and Accountability Act. The HHS investigation “revealed a HIPAA compliance program that had been in disarray for a number of years,” according to Roger Severino, director of the Office of Civil Rights.
“This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records, lost patient files without notifying [the Office of Civil Rights] as required by law, and failed to properly secure [patient health information] that was leaked to the media,” he said in a news release.
Jennifer Piedra, Jackson Health’s senior director of communication and outreach, said that protecting patient privacy is a top priority.
“We’re disappointed whenever we fall short of our high expectations,” Piedra said. “Jackson cooperated fully with the investigation and has taken extensive steps to upgrade our software, procedures, and staff training regarding privacy protections.”
In a July 2019 notice to Jackson Health, the federal agency said it found evidence of “wide-spread and longstanding deficiencies in protecting [patient health information]” to prevent disclosures and continually failing to conduct sufficient risk analysis for “many years” prior to the agency’s compliance review.
Jackson Health, the public health system for Miami-Dade County, has projected a $2.3 billion budget for 2020, which includes about $490 million in taxpayer subsidies. Those public dollars, based on a half-cent sales tax and property taxes, have risen by $14 million from the current fiscal year, due to increased consumer spending and rising property values.
Piedra, the Jackson spokesperson, said the $2.1 million penalty was reserved in the 2019 budget and will be included in the September financial reports to be presented to the Public Health Trust later this month.
The impact of the health system’s neglect was wide-ranging, according to the HHS notice.
In July 2015, two employees accessed the information of NFL player Jason Pierre-Paul after he injured his hand during a Fourth of July fireworks mishap and had his right index finger amputated. Employees leaked information about the injury to an ESPN reporter, who shared a picture of an electronic display board in a Jackson operating room. After the leak, the New York Giants rescinded a $60 million contract offer for Pierre-Paul.
Another employee was able to use her access to electronic patient health records to access information of more than 24,000 patients, the federal investigation found. Her actions went undetected from 2011 to 2016. She later admitted to selling the information of 2,000 of those patients for the purposes of identity theft, HHS said in its notice to Jackson.
Additionally, in December 2012, a Jackson employee told a supervisor about the loss of emergency room records containing information related to 715 patients, according to the notice.
The following month, in January 2013, an employee reported two additional missing boxes of emergency room records relating to 756 patients, the notice said.
Jackson did not report the January 2013 losses to HHS until August of that year, the notice said, and did not file an addendum disclosing the December 2012 loss until nearly three years later, in June 2016.
The health system admitted to the federal agency that prior to creating a privacy manual and policies in October 2013, it had “no previous policies” as it related to its breaches including response, risk assessment and notification procedures, the notice added.
The HHS Office of Civil Rights said it is “cognizant of [Jackson Health System’s] position as a public entity that routinely serves low-income and disadvantaged patients” and considered Jackson Health’s financial condition in determining its fine. The agency said the penalty “will not affect [Jackson Health System’s] ability to come into compliance or jeopardize its ability to continue to provide health care for patients.”
The Jackson spokesperson said the public health system “recognized and reported [the privacy breaches] because strong organizations like ours admit their errors clearly, learn from them thoughtfully, and take decisive action to prevent them in the future.”
This story was originally published October 24, 2019 at 12:12 PM.
