Banner Health in Arizona has responded to a recent commentary I wrote on its response to a major breach of protected health information. Banner points out errors in the story and acknowledges missteps of its own. And I, the reporter, did make a crucial mistake.

The organization sent copies of its twice-yearly Smart & Healthy magazine to more than 50,000 beneficiaries of the Medicare Pioneer Accountable Care Organization, primarily in Maricopa County. The address labels, which came from the Centers for Medicare and Medicaid Services, included recipients’ Medicare numbers, which include or are identical to Social Security numbers.

The commentary took Banner to task for not having notice of the breach on the home page of its Web site or in the news section after the organization discovered the breach from upset recipients who also called local media, which published stories. I began investigating the breach on March 5 and the site gave no indication that a breach had occurred although an early local story dated back to February 24. A message HDM sent to Banner for more information was not responded to. Consequently, the commentary noted that health consumers going to the Web site for more details on the breach “probably aren’t impressed when they find nothing at all--like it never happened.”

Bill Byron, vice president of public relations at Banner, acknowledges that impression was the right call at the time because that’s how it looked. He notes that a notice was posted on March 5, but late in the evening right before midnight of March 6, and that a notice that should have been posted in the Web site’s news section was not.

I checked the Banner Web site again before publication of the commentary and did not see a notice on the home page or in the news section. But the notice, which should be prominent, was there, as a small icon that did not indicate a breach in the headline and in a section generally used to market services. Byron acknowledges that “the headline certainly could be different,” and that the organization would take another look at it. But on March 12, the small icon remains with the original headline and the breach notice is not posted to the press page.

The headline on the icon, which shows a copy of the magazine, reads, “Notice Regarding Smart and Healthy Publication.” I took the notice to be a marketing pitch for the magazine. But I have been covering health information technology for two decades and was covering emerging HIPAA laws three years before they actually became law. That icon and headline won’t get folks clicking to open it. But I certainly should have known better and regret the error.

My message to Banner asking for more information on the breach, sent via a general message box--media contact information is not on the Web site--was not responded to because it fell through the cracks. That is understandable because PR pro Byron was rather busy at the time dealing with the breach fallout and says he responded to every media request he received. And we all get way too many messages every day. Byron acknowledges that his name and e-mail should be on the Web site.

Importantly, Byron notes that the organization was not in the position to formally notify patients and press of the breach at the time that press started getting wind of it. Under the HIPAA breach notification rule, organizations have 60 days from discovery of a breach to issue notices. Banner discovered the breach when patients started calling on Feb. 24 when they saw their Medicare numbers on the address label, and reporters soon were calling as well. Byron had indicated to a local reporter that notices would start to go out within days of discovery, but that proved to be overly optimistic; it took more time than expected to compile the list of affected individuals and contract for 12 months of identity protection services from Experian, he says. Banner began mailing formal notices on March 5--which is still a fast response--and then a notice was placed on the Web site.

The organization is starting to better understand the processes that broke down and caused the breach, Byron says.

Banner has a file review and scrubbing process for mailing lists. Normally, a list goes to the information technology department to scrub all private information except name and address. A sample of 20 labels also must be manually checked. But the list got out to the mailing process prior to I.T. scrubbing and was “eyeball scrubbed” by those putting out the mailing. Banner has had a “practice” in place that a list cannot be used unless it goes through the scrubbing and sample checks. Now, that practice has been replaced by a formal policy, Byron says.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access