Hundreds more affected by Trios Health privacy breach

A Trios Health employee improperly accessed more than 1,600 electronic patient records — nearly triple what initial investigation found.

The Kennewick hospital system first announced the breach at the end of May, while it was still investigating the extent of the issue. At that time, officials had uncovered about 570 improperly accessed patient records.

But continued investigation revealed that the employee looked at 1,603 records outside of his or her job duties, in violation of the Health Insurance Portability and Accountability Act, or HIPAA. The improper access happened over about 3 1/2 years starting in October 2013.

Trios’ investigation now is complete.

The employee was fired after the breach was discovered. Trios isn’t naming him or her because of privacy rules.

“We are deeply disappointed about the former employee’s actions, and to now be in a position to report so many additional patients potentially affected by those actions is regrettable to say the least,” said Elizabeth Rice, Trios’ compliance officer and director of Health Information Management, in a statement.

“As upsetting as it is for all affected, we are not going to hide from this and pretend it didn’t happen. It did happen, it involves the actions of one person and is not broadly representative of our staff or our privacy standards, and we’re taking many steps to ensure it doesn’t happen again,” she said.

In the records, the former employee could have seen demographic information, such as patient addresses, phone numbers, driver’s license numbers and Social Security numbers, as well as limited medical information, namely diagnoses. Not all those fields necessarily were filled out in each record.

The breach was limited to hospital patients and did not include records from outpatient Trios Medical Group providers.

All affected patients are being notified. Trios is paying for them to enroll in identity theft protection and fraud monitoring services for up to one year.

Officials have said they don’t believe identity theft was a motive.

“We don’t know the motivation, but from our investigation and interviews we don’t believe the former employee meant any harm. We do believe it’s a very low risk that any of the information will be used or re-disclosed,” Rice told the Herald last month.

The breach was discovered in March as Rice and her team conducted a patient information and compliance review. The review was part of the operational improvement work Trios is implementing system-wide as moves to improve its financial position.

Trios notified the state Attorney General’s Office and the federal Office for Civil Rights about the breach, as required. Officials have updated the agencies about the additional numbers.

Trios could face fines or other corrective action.

An official with the state Attorney General’s Office has said the agency doesn’t confirm or deny privacy breach investigations, although any formal legal action that resulted would be public. The federal Office of Civil Rights didn’t return a message from the Herald after the initial breach announcement.

Trios already required privacy training for staff, but it’s now taking additional steps, including adding more training, updating policies and procedures, performing a risk analysis and installing software to provide additional monitoring and cautionary indicators, officials have said.

Concerned patients who don’t receive notification via certified mail during the week of July 3 or who don’t have a mailing address on file with Trios may call the Health Information Management department at 509-221-5720, option 2, from 7 a.m. to 4 p.m. weekdays or go to trioshealth.org/privacy.

This story was originally published June 23, 2017 at 1:34 PM with the headline "Hundreds more affected by Trios Health privacy breach."