Arrow-right Camera
News >  Spokane

Sue Lani Madsen: HIPAA Identity Theft – Sort Of

Sue Lani Madsen. (Jesse Tinsley / The Spokesman-Review)
Sue Lani Madsen. (Jesse Tinsley / The Spokesman-Review)

If you’re still waiting for your prescription refill authorization or a call back for a physician referral, it might have stalled on my mother’s kitchen table.

The problem started over a year ago. At first it was just annoying. Fax machines dialed Mom’s home phone, repeating multiple times when there was no screeching response. When the calls started coming at 3 a.m., she turned off the phone overnight but then had to listen to a voice mail full of “Aiyeeeeeeeeeeeeeeeee eeeeeeeeeee eeeeeeeeeee the next morning.

Sometimes the voice mail included caller ID, often a retail pharmacy. Mom would track down a phone number and ask them to stop. That worked for small offices with a single fax machine.

The situation moved from annoying, to worrying, to maddening. My mother, Fran Wicht, is a retired RN and former Professor of Nursing at Spokane Community College. Her nursing instincts are still strong, and she worried about the patients. What happened when the faxes didn’t go through? And tracking down senders one at a time was a burden. She asked her daughters and granddaughter for backup.

Last March calls came from Virginia Mason Memorial Hospital in Yakima. Mom talked to two different people who said they couldn’t do anything. I suggested they should alert all staff via email to stop faxing my mother’s phone every 2 minutes. The screeching tones stopped after leaving a sternly worded voice mail to an administrator assuring them our family would take turns calling and load up her voice mail like they were stuffing Mom’s mailbox.

We checked with the state Department of Health, but there’s no protocol for this situation. Complaints under the HIPAA Privacy Rule have to be filed for each incident on each individual provider with each separate licensing board. It would have been a nightmare to pursue. And we didn’t want to punish anyone for a simple mistake, just make it stop.

The phone company wouldn’t do anything after Mom hit the limit of 25 blocked numbers. There were always new ones. They cheerfully suggested Mom should just change her phone number. Not a chance. It’s been her number for 57 years.

We needed the intended recipient to help solve the problem permanently, but that was impossible to know without more information. So we plugged in Mom’s standard multi-function print/fax/scanner to the phone line. And now we know more than we ever needed. “Everyone likes getting mail by post or email, either is great. What’s not so great is getting pages of faxes filled with patient information and marked “Confidential Statement” or “Protected Health Information,” said Mom.

The first fax machines were an expensive business investment, often in a secure location with limited access. Now a multi-function printer with fax capability thrown in as an often unused extra feature is less than $100 at Walmart. Anyone could intercept the transmissions. The patients are fortunate they’re going to a retired nurse who understands health care privacy and HIPAA.

Turned out there were multiple intended destinations, but we did find a common denominator. The recipients were all connected to the Providence Health system. My sister persisted through the standard corporate voice mail. There’s no option to “Press 7 if you are being hounded by faxes intended for Providence.” It took reaching an actual human in technical support to report this strange case of identity theft. It’s a sticky problem that doesn’t neatly fall into anyone’s bailiwick.

I reached out to Providence administration and the executive assistant to the CEO, knowing she’d have the best network of contacts. Patti Petersen was appalled and started the pressure from the top. Colleen Wadden, Executive Director for Reputation Communication for Providence St. Joseph Health, also called to apologize and sent a formal statement.

“We have protocols in place to prevent information from being shared inappropriately, as well as for how to respond when an error occurs. We strive to respond quickly to any event involving our patients’ information and a delay in response is not acceptable.”

Somewhere, somebody entered a wrong number. The bad data migrated. There’s no protocol anticipating this kind of a data hack, but it’s going to keep a lot of people busy responding.


Subscribe to the Morning Review newsletter

Get the day’s top headlines delivered to your inbox every morning by subscribing to our newsletter

There was a problem subscribing you to the newsletter. Double check your email and try again, or email webteam@spokesman.com

You have been successfully subscribed!