The Jones Day dump contains prescription drug records. Who’s notifying those patients of the breach?
By now, many are aware that Jones Day, a giant law firm, had some of its files stolen due to vulnerabilities in the standalone file transfer administration system by Accellion. Jones Day is one of dozens of Accellion clients that have found themselves investigating and dealing with breaches affecting their businesses and clients. The Jones Day data dump is a good opportunity to remind people that what would be protected health information under HIPAA in one setting may — or may not — lose some of its security protection when it winds up in a law firm’s custody. It depends, in part, on what the law firm’s role is. If a law firm is providing services to a HIPAA covered entity that involves the use or disclosure of protected health information (PHI), then they may be a Business Associate under HIPAA. Software firms that access PHI, collection agencies that access or use PHI, and law firms that use or disclose PHI on behalf of a covered entity would all be examples of business associates. Business Associates are supposed to have contracts in place with the Covered Entity. Some of the files in the Jones Day data dump that DataBreaches.net examined are spread sheets with details on prescriptions issued by a named physician in Florida. It took only minutes of searching on Google to learn that this physician had been the subject of a disciplinary action by the state. As a result of a complaint related to prescribing practices and the death of a patient, the state had restricted the physician’s license to practice medicine and imposed some conditions. Those conditions include a permanent restriction barring him from prescribing any Schedule I – Schedule IV controlled substances, and a requirement that he practice with indirect supervision/monitoring, presumably including access to his records and logs. In Jones Day’s files are spreadsheets pertaining to this physician’s prescriptions. The records begin in 2013 (the year that the patient died) and the most recent pharmacy fill date was January 6, 2021. The spreadsheets list every prescription the physician wrote. Each record includes detailed information on the pharmacy, the patient, and the prescription. The patient information fields include first and last name, their date of birth, their patient ID, phone number, full postal address, and the name of their insurer. Information on the prescription included the prescription number as filled by the pharmacy, the medication tradename, the generic name, the drug strength, the date the prescription was written, when it was filled, how many refills were left, and what drug schedule the medication is on. The prescribing physician was also listed for every prescription with their DEA number. All told, there were 182,409 records in the spread sheets. DataBreaches.net did not attempt to deduplicate them but notes that there were often dozens of prescriptions for a single patient, and the number of unique patients will be only a fraction of the number of records. The information in these records were undoubtedly PHI when on the pharmacies’ systems. But were they PHI on Jones Day’s server? Jones Day is not a HIPAA covered entity, but is Jones Day a Business Associate to the physician? Or were they retained by the state or some other entity that would make them a Business Associate under HIPAA? Their purpose in collecting and using the records makes a difference. If they were hired by the physician to provide a service related to complying with a state order, then that is a healthcare operation and I would think there should be be a Business Associate contract in place. But were they hired by the physician for that function? And was there any Business Associate agreement in place? DataBreaches.net reached out to Dr. Ramesh M. Patel on February 21 via his web site chat contact to ask him about the breach and whether Jones Day was a Business Associate. He never replied. DataBreaches.net also contacted Jones Day to ask whether Jones Day had a Business Associate agreement in place with Dr. Patel, and to ask who was going to be notifying the patients about this breach. Jones Day did not respond by time of this publication. DataBreaches.net notes that Accellion may also have been required to have a Business Associate agreement in place with Jones Day if the data Jones Day was transmitting was covered by HIPAA. If it turns out that Jones Day had a BAA in place with Dr. Patel and that Accellion had a BAA in place with Jones Day, who is responsible for notifying the patients? And who would be responsible for notifying the U.S. Department of Health and Human Services of this breach? As I understand it, under HIPAA and HITECH, the business associate has an obligation to notify the covered entity, but it is the covered entity who is responsible for notifying the patients and HHS. So if Jones Day had a BAA in place with Dr. Patel, then they must notify him, and he must notify the patients and HHS (in this case, a four-factor risk assessment does not seem to be needed as it is obvious that the PHI fell into unauthorized hands and there is a risk of misuse). The pharmacy-related records were not the only medically related information DataBreaches.net spotted in the files that this site spotted in the data dump by CLOP. Other files contained: releases to obtain medical records for a named patient. Will anyone notify that patient of this breach? a response to a subpoena that contained the names, medical record numbers, dates of admission and discharge for other named patients. Will anyone notify them? and an archive that contained 129 files with detailed information on patients, where each patient’s file might be 14 pages with their history, personal information, and medical notes and updates, lab results, etc. The hospitals involved included West Anaheim Medical Center, Huntington Beach Hospital, and Garden Grove Hospital and Medical Center, among others. Will anyone notify them? DataBreaches.net has no information as to how orDataBreaches.netRead More