HIPAA Blog

[ Tuesday, March 01, 2016 ]

BJC Over-reports. BJC Healthcare in St. Louis sent an email containing patient names, dates of birth, and Medicare numbers to another healthcare provider. No actual medical information, and apparently no social security numbers. Sent to another healthcare provider. The other provider was the addressee of the email. The other provider was supposed to get the information. There is no evidence at all that the information was viewed or accessed by any improper person.

But the email was not encrypted.

It's theoretically possible that someone viewed the information in the nanoseconds it was traveling through the internet. It's theoretically possible that someone put a sniffer program on the server that the email happened to pass through on its way from BJC to the intended proper recipient. It's theoretically possible that monkeys will fly out of my butt.

This is not a reportable event. This is not a reportable breach. This is NOT EVEN A BREACH. It may be a breach of BJC's HIPAA policies and procedures, and the email sender should be sanctioned. But reporting this to the public is dumb, in the way that all cries of "wolf" are dumb.

First ACC, now this.

Jeff [9:22 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template