The U.S. government is investigating a HIPAA breach at the Rocky Boy Health Center that may have affected the privacy rights of 6,000 patients.
The breach was reported Feb. 21 and was caused by a theft, the precise nature of which has not been revealed, according to the U.S. Department of Health and Human Services Office for Civil Rights.
While the theft could have occurred via email, desktop computer, paper or the server, the Office of Civil Rights indicates the breach at the Rocky Boy Health Center was caused by “other.”
A HIPAA breach means that protected health information was illegally accessed. HIPAA’s Breach Notification Rule requires entities to notify their patients when protected health information has been breached. If the breach involves more than 500 people, the entity must notify a media outlet serving the area about the breach.
The Health Center’s CEO, Jessica Windy Boy, did not reply to a request for comment, including what, if any, media outlet has been notified about the breach. Someone from the health center did solicit ad prices from The Herald immediately after the breach. The Herald decided the notice was worthy of a story on the basis that a HIPAA breach is of great public interest.
A representative for the Office of Civil Rights said the office does not comment on open or potential investigations. OCR is investigating 444 cases nationwide involving breaches. View the list here.
The 90,000-square-foot Rocky Boy Health Center, a Tribal Contract facility, a federally qualified health center, opened in June 2018 to a gleeful and receptive community. Its size allowed the many health departments that were previously spread across the Rocky Boy’s Indian Reservation to be consolidated in one building.
The Health Center had been in the works for years, having stalled multiple times for various reasons, including funding.
This story has been updated.