On December 19, 2019, Sinai Health System issued a warning entitled “NOTICE OF SECURITY INCIDENT AT SINAI HEALTH SYSTEM” that advised “Sinai Health System (Sinai) has become aware of a potential data security incident that may have resulted in the inadvertent exposure of some patients’ personal and health information. On October 16, 2019, forensic information technology experts determined that patient information could be at risk after an unknown third party gained unauthorized access to two employee email accounts. Experts performed an investigation and found no evidence that any patient information was removed from Sinai Health System’s email accounts or systems. Further, Sinai is not aware of any misuse of any patient’s information and has seen no indication that any patient’s information is in the hands of someone it should not be as a result of this incident.”
Sinai further stated “While experts found no evidence that any emails containing patient information were opened during the period of unauthorized access, Sinai identified the patients whose personal and health information were stored in the email accounts with help from outside computer experts. The information that could have been in the two email accounts includes patients’ names, addresses, dates of birth, Social Security numbers, health information or health insurance information. Sinai encourages patients to review the letters that are being mailed for steps they can take to protect their information … Sinai Health System sincerely regrets any inconvenience that this incident may cause patients and remains dedicated to protecting patients’ personal and health information.”
Sinai states on its website: “Located on Chicago’s West and Southwest Side, Sinai Health System is comprised of Mount Sinai Hospital, Holy Cross Hospital, Schwab Rehabilitation Hospital, Sinai Children’s Hospital, Sinai Community Institute, Sinai Medical Group, and Sinai Urban Health Institute. The entities of Sinai Health System collectively deliver a full range of quality inpatient and outpatient services, as well as a large number of innovative, community-based health, research and social service programs. We focus our collective depth of expertise and passion to improve the health of the 1.5 million people who live in our diverse service area. With our team of dedicated caregivers, Sinai Health System is committed to building stronger, healthier communities.”
Breach Notification Rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
If your protected health information may have been breached, you should promptly find a medical malpractice lawyer in your state who handles such cases and who may investigate your breach of protected health information claim for you and represent you in such a claim, if appropriate.
Click on the “Contact Us Now” tab to the right, visit our website, or call us toll-free in the United States at 800-295-3959 to find medical malpractice attorneys in your state who may assist you.
Turn to us when you don’t know where to turn.