Officials at the New Braunfels, Texas-based Hope Hospice have notified 818 patients following a HIPAA breach after an employee emailed a report of patient referrals and admissions to themselves via an unsecured channel on two separate occasions.

After conducting an internal audit in February 2013, Hope Hospice officials discovered the employee emailed patient data back in December 2012 and again in February 2013. The data sent in the reports included 818 patient names, referral source, referral and admission dates, insurance information, clinical chart data, county and date of discharge. Social Security numbers, patient dates of birth and addresses were not contained in the report, officials added. Due to the number of affected individuals and the agency’s policy against using unsecured channels for communicating patient information, each patient or their next of kin is being notified of the occurrence.

[See also: A stark link between breaches and fraud.]

According to a company notification, Hope Hospice staff members have received additional training, and "the agency is performing a comprehensive review to further refine its policies and procedures related to patient privacy and security. Steps are also under way to further improve the security of the agency’s operations."

HIPAA-covered entities are required by law to notify patients, the media and the Department of Health and Human Services following the discovery of a data breach involving 500 or more individuals within 60 days.

[See also: Healthcare data breaches on the rise, with potential $7B price tag.]

According to HHS data, nearly 214,000 individuals across Texas have had their protected health information compromised since the August 2009 Breach Notification Rule.

Nationwide, some 21 million patient records have been compromised in healthcare data breaches since 2009. What's even more concerning, said Lisa Gallagher, senior director of privacy and security for HIMSS, at the Boston Privacy and Security Forum, is that "data breaches involving 499 or fewer are not counted in the HHS final count." She estimated that somewhere between 40-45 million patient records have actually been compromised. The number can't be confirmed, as the data isn't all there, she adds, but it's a more accurate number based on healthcare organizations' reporting.

[See also: Stanford reports fourth HIPAA breach.]