The Role of Disclosure Management in Mitigating the Effects of a HIPAA Breach-- Takeaways from the Largest Pediatric Hospital Breach Ever Reported

by ih-coc admin

by Jay Hodes, President - Colington Consulting

On May 23, 2018, Boys Town National Research Hospital in Omaha, NE, "internationally recognized ‚Äčas a leader in clinical and research programs focusing on childhood deafness, visual impairment and related communication disorders” (“Research”, 2018), uncovered a data security breach tied to unusual activity associated with a single email account. According to the official notice issued by this organization, it was confirmed by July 3, 2018 that personal information of both patients and employees, including PHI, "may have been accessible" (“Notice of Data Security Incident”, 2018). Boys Town has stated that there are no reports of any data misuse as yet. On July 28, 2018, this incident, affecting 105,309 individuals, is at the top of OCR's Breach Portal, as the most recently reported breach, representing "the 8th largest health data breach" (McGee, 2018) this year. 

It is important to note that the threat raised by phishing or malware in this instance is secondary, in comparison to the real danger of the "negligent insider" (Kulkarni, 2018) who committed an essential act of wrongdoing that put patients and employees at Boys Town at risk, by storing personal information including PHI in an unsecured format (email). 

While the official notice issued by Boys Town offered some limited remediation, and also stated that its policies and procedures are in the process of being reviewed, the gravest danger that is immediately apparent is the failure of employee training, oversight, supervision, risk analysis, and management. In this case, Boys Town appears to have displayed non-compliance with the HIPAA Security Rule, by way of failing to properly comply with the HIPAA Privacy Rule, where a lack of appropriate administrative, technical, and physical safeguards led to personal information and PHI being stored in a single email account. 

A cursory search regarding this provider and/or this incident will invariably bring up the former's Glassdoor profile, viewable to anyone with internet access. While these opinions are in no way indicative of a causal relationship between Boys Town's managerial or administrative policies and this particular HIPAA breach, it is instructive to note how criticism of this organization on Glassdoor appears to focus on lapses in management, a lack of accountability, and a lack of appropriate communication between management and employees. It is important for PHI Disclosure Management to remain a primary focus of provider offices (Hardwick, Twiggs & Braden, 2015). These providers must include a scheduled full review of policies and procedures, as well as periodic internal audits, whether planned or otherwise, in order to uncover privacy and security issues that can lead to a HIPAA breach (Hardwick, Twiggs & Braden, 2015). An internal audit checklist could address various areas of the hospital or organization, and might include the following questions or prompts (Hardwick, Twiggs & Braden, 2015):

 * Are printers and fax machines secured from public view?

* Are waste bins free of PHI?

* Are computer monitors equipped with privacy screens or kept away from public view?

* Can staff discussing PHI be overheard?

* Are print capabilities limited to only the necessary departments?

* If patient names are used in waiting rooms, do clinicians and staff use only the minimum necessary? (i.e., Ms. Smith)

* If sign-in sheets are used, is the minimal amount of PHI requested?

* Are doors locked and access limited to departments housing PHI?

* Is the Notice of Privacy Practices posted?

Assuming that Boys Town does run an active and robust Disclosure Management program, the question then arises how a single email account could be allowed to accumulate data associated with 105,309 individuals. This glaring red flag must be addressed adequately by Boys Town National Research Hospital, above and beyond any amount of covered identity protection extended to the victims of this particular data breach.


Boys Town National Research Hospital. (2018). “Research.” Retrieved from 

Boys Town National Research Hospital. (2018). “Notice of Data Security Incident.” Retrieved from 

McGee, Marianne Kolbasuk (2018). "Biggest Pediatric Hospital Breach Reported." Retrieved from 

Kulkarni, Amit. (2018). "What are the top 3 considerations for healthcare organizations?" In Digital Guardian's 6 InfoSec Pros on the Top Healthcare Security Considerations (pp. 11-13). Retrieved from 

Boys Town National Research Hospital. (2018). “Notice of Data Security Incident.” Retrieved from 

Hardwick, D., Twiggs, M., & Braden, J. (2015). Optimizing PHI disclosure management in the age of compliance. Journal of AHIMA, 86(2), 32-37.