Outcomes - Selected Case Summaries
Categories
Local hospital sends patient COVID-19 results to unintended recipient
Decisions | 13 September 2023
A contained data breach originating from a local hospital's COVID-19 testing facility was detected when the test lab processed a batch of results through the hospital's testing portal system. One patient's results were sent to 27 unintended recipients/patients of the hospital.
Upon investigation, the hospital discovered that a change in its information system resulted in a disconnection affecting the transmission of patient registration data to the portal system. The error caused all contacts in the test batch to have missing registration data, but one patient had a good registration record which resulted in the incorrect distribution of results.
The hospital notified us of the breach, informed the affected patient, apologized, and advised that the portal and information systems were reprogrammed to prevent any future disconnections. Patient results are no longer sent in batches – each result is now sent separately after verification - and are sent in the form of password-protected, encrypted PDF attachments. As well, new communications algorithms are introduced between clinical systems to ensure data transfer errors are captured before processing test results. Lastly, the hospital introduced an internal incident report for quality assurance in order to mitigate any future issues. We supported the actions taken and closed the matter.