Lavender Sky Health exposed my wife's (life saving & emergency) abortion care

[brisket]

Lavender Sky Health exposed my wife's (life saving emergency) abortion care to me and I don't think they are remotely taking in seriously enough. What if I was a homicidal nutjob of a husband who did not understand what ectopic meant (We have those kind of ppl, they are called politicians here)?

They are playing loose and fast with confidential records in ways that could put women's lives at risk. They just assumed that I had a right to her records, and just assumed I was asking for her records too when I asked for mine.

They claim the person immediately self reported, I didn't notice the breach for days, and they didn't reply to me complaint for 2 more days. If they knew immediately, why didn't they inform my wife or I immediately?

If my new insurance didn't cover zepbound as of next month, I'd probably be looking to move to gray market. I'm done with LSH for sure.

<end rant>

 

[stickfigure]

Humans make mistakes. But even I have to take HIPAA training every year and I am not even remotely close to anything involving medicine or patient care - I could just accidentally come across protected information.

The fact that medical professionals who deal with HIPAA protected information all the time could make such mistakes is mind blowing

 

[brisket]

Humans make mistakes. But even I have to take HIPAA training every year and I am not even remotely close to anything involving medicine or patient care - I could just accidentally come across protected information.

The fact that medical professionals who deal with HIPAA protected information all the time could make such mistakes is mind blowing

I can't get over the fact that they knew about it for days, and didn't fess up until I complained. They still have not notified my wife...

Why are they emailing medical records in plaintext in the first place? Even my small down doc was doing secure transfers over a decade ago.

 

[YoYoFat]

How did this happen?

Did you contact them on her behalf? Log in using her sign in info?

 

[brisket]

How did this happen?

Did you contact them on her behalf? Log in using her sign in info?

I did not and would never login to my wife's medical account.

 

[BenevolentMrTang]

As a lawyer who used to work on medical and dental malpractice cases (both plaintiff and defense) and the victim of medical malpractice in the past, I can't say that anything surprises me anymore in the medical world. I've worked on cases where a surgeon left a surgical instrument inside a patient before sewing up the patient, then failed to remove it in a subsequent surgery before finally getting it out on the third try, weeks later, when the patient was in really bad shape. Or an oral surgeon who severed a lingual nerve, leaving this poor young woman with the inability to taste or smell anything for the remainder of her life (maybe another 60 years or so). And sometimes they operate on the wrong limb or remove the wrong organ. People have no idea how many mistakes medical professionals make, but I assure you that it is A LOT OF MISTAKES. And then there are the mistakes that nurses and others make with simple medical records that result in patients getting the wrong medication or 100 times the correct dosage of the right medication, killing or injuring them. So, yes, people are human, and humans are dangerous as hell, often stupid and too tired, too distracted and just plain negligent.

This is a serious breach and should not be taken lightly. Peoples' lives can be seriously impacted over mistakes like this.

 

[mopo89]

As a lawyer who used to work on medical and dental malpractice cases (both plaintiff and defense) and the victim of medical malpractice in the past, I can't say that anything surprises me anymore in the medical world. I've worked on cases where a surgeon left a surgical instrument inside a patient before sewing up the patient, then failed to remove it in a subsequent surgery before finally getting it out on the third try, weeks later, when the patient was in really bad shape. Or an oral surgeon who severed a lingual nerve, leaving this poor young woman with the inability to taste or smell anything for the remainder of her life (maybe another 60 years or so). And sometimes they operate on the wrong limb or remove the wrong organ. People have no idea how many mistakes medical professionals make, but I assure you that it is A LOT OF MISTAKES. And then there are the mistakes that nurses and others make with simple medical records that result in patients getting the wrong medication or 100 times the correct dosage of the right medication, killing or injuring them. So, yes, people are human, and humans are dangerous as hell, often stupid and too tired, too distracted and just plain negligent.

This is a serious breach and should not be taken lightly. Peoples' lives can be seriously impacted over mistakes like this.

this makes me so happy I never went into that sort of law. Even when I was a litigator, the worst I saw was a city planner in the pocket of a local developer. And that sort of stuff does not keep me up at night.

 

[AndyPanda]

This is a GLP forum, isn’t it?

 

[hexagonal]

This is a GLP forum, isn’t it?

And LSH is a major provider of compounded GLP1s

 

[Superfluous]

My mother had an etopic pregnancy when I was young. She had to get one of her ovaries removed. When she woke up from the operation she had a wound... on the wrong side. They accidentally removed the good ovary and left the etopic one in there. She had to have another operation which sterilised her at 23 years old.

So yeah as someone else said people make mistakes - in health care unfortunately mistakes can be costly.

 

[brisket]

This is a GLP forum, isn’t it?

And LSH was our provider of Tirzepatide, does reports of poor behavior of tirzepatide vendors not belong here? There are several such posts here, and this one could have cost a woman her life. There are plenty of stupid people who think ectopic pregnancies can be saved and "transferred" (hint, they cant), and also plenty of violent spouses out there. Had I been both, it could have easily been bad. LSH's reckless behavior and protocols could have causes even more significant harm.

 

[YoYoFat]

I did not and would never login to my wife's medical account.

Answer the question. How did it happen?

How did your wife’s medical telehealth provider tell you her medical history? How does that even happen? How could it have even happened unless you contacted them, you logged in to her account, you opened her email, or her account was linked to your email?

 

[BitsyRMSc]

Answer the question. How did it happen?

How did your wife’s medical telehealth provider tell you her medical history? How does that even happen? How could it have even happened unless you contacted them, you logged in to her account, you opened her email, or her account was linked to your email?

JHC. If you read the letter from LSH, it plainly states what happened under a bolded heading called, "What Happened".

 

[YoYoFat]

JHC. If you read the letter from LSH, it plainly states what happened under a bolded heading called, "What Happened".

Doesn’t answer my question. 🤷🏽‍♀️

 

[MiniatureSnail]

It's good practice to not actually give any of your real medical history to any telehealth place, weight loss or otherwise. You really cannot know what kind of place it is without being in the office.

I take several medications, have had several surgeries, have several diagnoses in my family history, and I entered 0 of that on any of these online forms.

I am honestly surprised that people do. But also, yes. Unfortunately, humans make mistakes. They should be taking it more seriously.

 

[MiniatureSnail]

Doesn’t answer my question. 🤷🏽‍♀️

I kind of agree. It states what happened, not how.

The employee would have had to access two separate charts and download information from two places. That's not a mistake, even if it was an accident.

Unless I'm misunderstanding? OP, @brisket did you request your medical records and receive both yours and your wife's, or did you both request your own medical records and received each other's instead? That I could see being easier to explain.

 

[SassyPants]

As a lawyer who used to work on medical and dental malpractice cases (both plaintiff and defense) and the victim of medical malpractice in the past, I can't say that anything surprises me anymore in the medical world. I've worked on cases where a surgeon left a surgical instrument inside a patient before sewing up the patient, then failed to remove it in a subsequent surgery before finally getting it out on the third try, weeks later, when the patient was in really bad shape. Or an oral surgeon who severed a lingual nerve, leaving this poor young woman with the inability to taste or smell anything for the remainder of her life (maybe another 60 years or so). And sometimes they operate on the wrong limb or remove the wrong organ. People have no idea how many mistakes medical professionals make, but I assure you that it is A LOT OF MISTAKES. And then there are the mistakes that nurses and others make with simple medical records that result in patients getting the wrong medication or 100 times the correct dosage of the right medication, killing or injuring them. So, yes, people are human, and humans are dangerous as hell, often stupid and too tired, too distracted and just plain negligent.

This is a serious breach and should not be taken lightly. Peoples' lives can be seriously impacted over mistakes like this.

My best friend was a lawyer for a very large hospital. Didn’t take him long to realize that he no longer wanted to be “ for “ the hospital for reasons you’ve mentioned. ( so many heartbreaking stories ) He does nothing but go after hospitals and incompetent staff now. I honestly can’t blame him.

 

[hexagonal]

Even if brisket explicitly requested his wife's medical records, it's still nothing they should have revealed unless she explicitly had signed off on him having access. Not sure why people are super concerned about the how - the explicit concern is a controlling spouse trying to get the records. Whether brisket asked for his own and got sent both, or 'red teamed' it and asked for something he knew he shouldn't, the end result is LSH breached HIPAA in a very blatant and amateurish way.

 

[chmuse]

Even if brisket explicitly requested his wife's medical records, it's still nothing they should have revealed unless she explicitly had signed off on him having access. Not sure why people are super concerned about the how - the explicit concern is a controlling spouse trying to get the records. Whether brisket asked for his own and got sent both, or 'red teamed' it and asked for something he knew he shouldn't, the end result is LSH breached HIPAA in a very blatant and amateurish way.

I'd personally want to understand how- was it the shared address? Shared last name? Have they ordered and received in the same box? But mostly out of curiosity- it's egregious either way.

 

[MiniatureSnail]

Even if brisket explicitly requested his wife's medical records, it's still nothing they should have revealed unless she explicitly had signed off on him having access. Not sure why people are super concerned about the how - the explicit concern is a controlling spouse trying to get the records. Whether brisket asked for his own and got sent both, or 'red teamed' it and asked for something he knew he shouldn't, the end result is LSH breached HIPAA in a very blatant and amateurish way.

Same as @chmuse said .. as someone who has to abide HIPAA laws for work and had also worked extensively with medical records, it's genuine curiosity on where their process failed. Obviously they are wrong and something failed, I'd just like to understand how.

Did this employee download the records and attach the wrong file to the email? Did they use a "send direct to patient" option and enter the wrong email address? Were the names similar? Did they not verify a secondary identifier like DOB?

Like, what happened? Lol. Most of my experience is with Epic, which I am pretty sure they're not using, otherwise we'd all just have a portal to access and wouldn't need to ask for records to be supplied manually. So somewhere, for some reason, an employee had to take all these deliberate steps to send a medical record, and during one of those steps, hit the wrong button or entered the wrong information.

I'm just curious what happened.

 

[chmuse]

Same as @chmuse said .. as someone who has to abide HIPAA laws for work and had also worked extensively with medical records, it's genuine curiosity on where their process failed. Obviously they are wrong and something failed, I'd just like to understand how.

Did this employee download the records and attach the wrong file to the email? Did they use a "send direct to patient" option and enter the wrong email address? Were the names similar? Did they not verify a secondary identifier like DOB?

Like, what happened? Lol. Most of my experience is with Epic, which I am pretty sure they're not using, otherwise we'd all just have a portal to access and wouldn't need to ask for records to be supplied manually. So somewhere, for some reason, an employee had to take all these deliberate steps to send a medical record, and during one of those steps, hit the wrong button or entered the wrong information.

I'm just curious what happened.

Exactly. I don't work in medical records, so I don't know exactly how they handle these things, or even if I did, how telehealth does (usually in order to get records you need to either log into your portal, or show up with ID. We don't send records via email unless you specifically sign a waiver asking for it.)

I am not in any way trying to imply @brisket did anything wrong. I just want to know how they managed to make such a stupid ass mistake. I won't even confirm someone's spouse is a patient unless they're listed as emergency contact.

 

[Vicki]

I didn't even realize your spouse couldn't see your medical records.

 

[Vicki]

I kind of agree. It states what happened, not how.

The employee would have had to access two separate charts and download information from two places. That's not a mistake, even if it was an accident.

Unless I'm misunderstanding? OP, @brisket did you request your medical records and receive both yours and your wife's, or did you both request your own medical records and received each other's instead? That I could see being easier to explain.

Maybe they used the same mailing address or phone numbers on their accounts? Or same anything who knows. They live together I'm assuming.

Sometimes the dr uses only my phone number to look up my records then they confirm date of birth after. Could be someone skipped a step and could see both charts.

 

[chmuse]

I didn't even realize your spouse couldn't see your medical records.

They can if you sign forms giving them permission.

Maybe they used the same mailing address or phone numbers on their accounts? Or same anything who knows. They live together I'm assuming.

Sometimes the dr uses only my phone number to look up my records then they confirm date of birth after. Could be someone skipped a step and could see both charts.

That's the thing, if they looked it up by address/ phone number and two charts popped up, they absolutely should have asked further questions instead of just.... Giving @brisket both charts? That's incredibly stupid.

 

[Grannuaile]

I didn't even realize your spouse couldn't see your medical records.

Male spouses/partners are the number one killers of women, that is why privacy is such a big concern.

 

[Vicki]

Male spouses/partners are the number one killers of women, that is why privacy is such a big concern.

Yes it makes sense for sure. It just seems like this is always violated the few times I've been in the er with my husband. Sometimes the nurse will ask if it's okay to speak in front of me but there's been times they just talk and don't ask permission.

 

[brisket]

Answer the question. How did it happen?

How did your wife’s medical telehealth provider tell you her medical history? How does that even happen? How could it have even happened unless you contacted them, you logged in to her account, you opened her email, or her account was linked to your email?

I dont know. I emailed the from my email, and asked for my records. My wife made no request, nor did I mention wanting her records or anything. They jhust fucked up.

 

[brisket]

I kind of agree. It states what happened, not how.

The employee would have had to access two separate charts and download information from two places. That's not a mistake, even if it was an accident.

Unless I'm misunderstanding? OP, @brisket did you request your medical records and receive both yours and your wife's, or did you both request your own medical records and received each other's instead? That I could see being easier to explain.

I requested my records and closure of my account. They sent me both my wife and my records and closed both of our accounts.

I'd personally want to understand how- was it the shared address? Shared last name? Have they ordered and received in the same box? But mostly out of curiosity- it's egregious either way.

No different accounts, different emails, separate everything. We dont mix digital stuff nor medical stuff.

Even if brisket explicitly requested his wife's medical records, it's still nothing they should have revealed unless she explicitly had signed off on him having access. Not sure why people are super concerned about the how - the explicit concern is a controlling spouse trying to get the records. Whether brisket asked for his own and got sent both, or 'red teamed' it and asked for something he knew he shouldn't, the end result is LSH breached HIPAA in a very blatant and amateurish way.

I did not request my wife's records, that isnt my business.

Male spouses/partners are the number one killers of women, that is why privacy is such a big concern.

This is why I'm raising hell

 

[brisket]

To be super clear, I did NOT request anything related to my wife's records, my wife did not request anything related to her records. I did not use the same PC, same Phone, same email, same LSH account. We did use the same credit card, same address and share the same last name.

We don't share our medical histories and if one of us wanted to know we would ask the other. The only reason she was even with LSH is because I was a customer first and found it easy to deal with.

LSH is refusing to answer questions about who all accessed the records, and who else they were shared with.

 

[brisket]

Yes it makes sense for sure. It just seems like this is always violated the few times I've been in the er with my husband. Sometimes the nurse will ask if it's okay to speak in front of me but there's been times they just talk and don't ask permission.

I had the opposite in the ER, they gave anything to my wife, which honestly I would have been fine with.

Same as @chmuse said .. as someone who has to abide HIPAA laws for work and had also worked extensively with medical records, it's genuine curiosity on where their process failed. Obviously they are wrong and something failed, I'd just like to understand how.

Did this employee download the records and attach the wrong file to the email? Did they use a "send direct to patient" option and enter the wrong email address? Were the names similar? Did they not verify a secondary identifier like DOB?

Like, what happened? Lol. Most of my experience is with Epic, which I am pretty sure they're not using, otherwise we'd all just have a portal to access and wouldn't need to ask for records to be supplied manually. So somewhere, for some reason, an employee had to take all these deliberate steps to send a medical record, and during one of those steps, hit the wrong button or entered the wrong information.

I'm just curious what happened.

We have the same mailing address, used the same credit card and have the same last name. Thats all I got for you. It failed at reckless human behavior, and a lack of security controls. Epic would have been far safer.

They can if you sign forms giving them permission.

That's the thing, if they looked it up by address/ phone number and two charts popped up, they absolutely should have asked further questions instead of just.... Giving @brisket both charts? That's incredibly stupid.

No permission was given either way. Had to be look up via address, credit card or last name? but we dont have that uncommon of a last name ... so that is even scarier.

I didn't even realize your spouse couldn't see your medical records.

That requires explicit written consent, which wasn't here.