The breach occurred April 24 and was reported to the U.S. Department of Health and Human Services on May 31. It was the third-largest data breach, by number of affected patients, reported to the federal health agency that month. The incident is being reviewed by the department’s Office for Civil Rights, which investigates breaches of protected health information that affect at least 500 people. The office did not return a request for comment Tuesday.
Dignity said the problem originated from an email list formatted by one of its vendors, the online appointment scheduling site Healthgrades, which contained a sorting error. The error resulted in Dignity inadvertently sending misaddressed emails to patients which contained the wrong patient’s name and, in some cases, the patient’s doctor’s name. Each misaddressed email was sent to one person.
The emails did not include financial, insurance or medical information, according to Dignity. Dignity and Healthgrades have notified the affected patients, the companies said. The error has been corrected and the companies are taking steps to prevent it from happening again, they said.
“All of us at Dignity Health and Healthgrades take our responsibility to protect patients’ personal and medical information very seriously,” Dignity said in a statement. “We sincerely regret that this error happened and any concern or confusion it may have caused.”
A spokeswoman for Healthgrades, based in Denver, did not immediately return a request for comment. On its website, the company says it helps millions of consumers find and schedule appointments, and it partners with more than 500 hospitals across the United States. It is unclear whether the same email error has affected patients at providers other than Dignity.
Dignity patients with concerns or questions can call 877-802-1959.
In a separate incident disclosed to the Department of Health and Human Services on May 10, three Dignity hospitals in Nevada reported a breach affecting a combined 6,036 patients. In that incident, Dignity mistakenly continued to share private medical information about patients with a third-party contractor after it had terminated its contract with the company.
©2018 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.