Episcopal Health Services Inc. d/b/a St. John's Episcopal Hospital

OCR opened an investigation of the covered entity (CE), Episcopal Health Services Inc., d/b/a St. John’s Episcopal Hospital, after it reported that its business associate's (BA) employee sold 509 patients' data to unknown persons. The protected health information (PHI) included patients’ names, addresses, dates of birth, gender, email addresses, social security numbers, account numbers, dates of service, medications, insurance information, diagnoses, billing codes, and reasons for treatment. The BA, Zotec Partners, LLC, d/b/a Medical Management LLC, also filed a separate breach report. As a result of the breach, the BA transitioned to an improved billing system that offers more security controls, implemented software for tracking and monitoring access and user activity, and masked social security numbers from employees whose job duties do not require full access. In addition, the BA conducted updated training on the Privacy and Security Rule standards for all employees. OCR obtained assurances for this case that the BA implemented the corrective actions noted above and also opened a separate investigation of the BA.
Location of breached information: Electronic Medical Record
Business associate present: No