Officials from QuadMed, a occupational health and primary care services provider that operates within its clients' workplaces, confirmed three separate incidents that may have compromised clients' employees' protected health information, according to three notices posted on QuadMed's website.
In each of the three incidents, QuadMed took over an onsite health clinic for its clients' employees. QuadMed shared access to the occupational health EHR with certain employees for administrative duties; however, proper controls weren't always implemented.
Here are nine things to know about the three incidents.
1. Hillenbrand.
- QuadMed took over the onsite clinic for Hillenbrand's employees in November 2013.
- Hillenbrand and QuadMed agreed to share occupational health-related information in a joint occupational health EHR and allow certain authorized Hillenbrand employees access as needed for administrative matters.
- In a undated notice, QuadMed detailed a potential technical issue that granted Hillenbrand employees access to more information than necessary, which was discovered Dec. 26, 2017. The information included employees' name, date(s) of services or treatment at the onsite clinic, and medical information, such as test or evaluation results, diagnoses, and information related to medical history, examinations, physicals, screenings, vaccinations, travel medicine, and/or workers' compensation information.
- The notice did not say how long those employees had access to the unnecessary information.
2. Stoughton Trailers.
- Similar to Hillenbrand, QuadMed took over operations at Stoughton Trailer's occupational health clinics and shared access to its EHR.
- In a undated notice, QuadMed said it determined Dec. 26, 2017 certain Stoughton Trailers' employees had access to more information than permissible in the system, as well as through other electronic means, since May 9, 2016.
3. Whirlpool Corp.
- In January 2017, QuadMed took over the onsite clinic for Whirlpool's Clyde, Ohio-based plant.
- QuadMed learned Feb. 6, 2017 that certain controls governing access to the EHR had not been properly implemented and began to investigate the issue.
- "In October 2017, QuadMed was granted with the needed level of system access to more thoroughly investigate the issue. QuadMed subsequently determined this notification was appropriate," a third undated notice reads.
In each of the notices, QuadMed notes that it worked with its clients to implement new administrative and technical controls to better protect health information in the EHR, and employees have been re-educated on HIPAA.
Becker's Hospital Review reached out to QuadMed for comment. This story will be updated as more information becomes available.
More articles on cybersecurity:
64% of providers say EHRs failed to deliver many critical value-based care tools: 10 survey insights
Epic adds Healthwise's patient education resources to its App Orchard
Epic's population health tool adds resources from Geisinger spinoff xG Health Solutions