Lavender Sky Health exposed my wife's (life saving & emergency) abortion care

[chmuse]

Same as @chmuse said .. as someone who has to abide HIPAA laws for work and had also worked extensively with medical records, it's genuine curiosity on where their process failed. Obviously they are wrong and something failed, I'd just like to understand how.

Did this employee download the records and attach the wrong file to the email? Did they use a "send direct to patient" option and enter the wrong email address? Were the names similar? Did they not verify a secondary identifier like DOB?

Like, what happened? Lol. Most of my experience is with Epic, which I am pretty sure they're not using, otherwise we'd all just have a portal to access and wouldn't need to ask for records to be supplied manually. So somewhere, for some reason, an employee had to take all these deliberate steps to send a medical record, and during one of those steps, hit the wrong button or entered the wrong information.

I'm just curious what happened.

Exactly. I don't work in medical records, so I don't know exactly how they handle these things, or even if I did, how telehealth does (usually in order to get records you need to either log into your portal, or show up with ID. We don't send records via email unless you specifically sign a waiver asking for it.)

I am not in any way trying to imply @brisket did anything wrong. I just want to know how they managed to make such a stupid ass mistake. I won't even confirm someone's spouse is a patient unless they're listed as emergency contact.

 

[Vicki]

I didn't even realize your spouse couldn't see your medical records.

 

[Vicki]

I kind of agree. It states what happened, not how.

The employee would have had to access two separate charts and download information from two places. That's not a mistake, even if it was an accident.

Unless I'm misunderstanding? OP, @brisket did you request your medical records and receive both yours and your wife's, or did you both request your own medical records and received each other's instead? That I could see being easier to explain.

Maybe they used the same mailing address or phone numbers on their accounts? Or same anything who knows. They live together I'm assuming.

Sometimes the dr uses only my phone number to look up my records then they confirm date of birth after. Could be someone skipped a step and could see both charts.

 

[chmuse]

I didn't even realize your spouse couldn't see your medical records.

They can if you sign forms giving them permission.

Maybe they used the same mailing address or phone numbers on their accounts? Or same anything who knows. They live together I'm assuming.

Sometimes the dr uses only my phone number to look up my records then they confirm date of birth after. Could be someone skipped a step and could see both charts.

That's the thing, if they looked it up by address/ phone number and two charts popped up, they absolutely should have asked further questions instead of just.... Giving @brisket both charts? That's incredibly stupid.

 

[Grannuaile]

I didn't even realize your spouse couldn't see your medical records.

Male spouses/partners are the number one killers of women, that is why privacy is such a big concern.

 

[Vicki]

Male spouses/partners are the number one killers of women, that is why privacy is such a big concern.

Yes it makes sense for sure. It just seems like this is always violated the few times I've been in the er with my husband. Sometimes the nurse will ask if it's okay to speak in front of me but there's been times they just talk and don't ask permission.

 

[brisket]

Answer the question. How did it happen?

How did your wife’s medical telehealth provider tell you her medical history? How does that even happen? How could it have even happened unless you contacted them, you logged in to her account, you opened her email, or her account was linked to your email?

I dont know. I emailed the from my email, and asked for my records. My wife made no request, nor did I mention wanting her records or anything. They jhust fucked up.

 

[brisket]

I kind of agree. It states what happened, not how.

The employee would have had to access two separate charts and download information from two places. That's not a mistake, even if it was an accident.

Unless I'm misunderstanding? OP, @brisket did you request your medical records and receive both yours and your wife's, or did you both request your own medical records and received each other's instead? That I could see being easier to explain.

I requested my records and closure of my account. They sent me both my wife and my records and closed both of our accounts.

I'd personally want to understand how- was it the shared address? Shared last name? Have they ordered and received in the same box? But mostly out of curiosity- it's egregious either way.

No different accounts, different emails, separate everything. We dont mix digital stuff nor medical stuff.

Even if brisket explicitly requested his wife's medical records, it's still nothing they should have revealed unless she explicitly had signed off on him having access. Not sure why people are super concerned about the how - the explicit concern is a controlling spouse trying to get the records. Whether brisket asked for his own and got sent both, or 'red teamed' it and asked for something he knew he shouldn't, the end result is LSH breached HIPAA in a very blatant and amateurish way.

I did not request my wife's records, that isnt my business.

Male spouses/partners are the number one killers of women, that is why privacy is such a big concern.

This is why I'm raising hell

 

[brisket]

To be super clear, I did NOT request anything related to my wife's records, my wife did not request anything related to her records. I did not use the same PC, same Phone, same email, same LSH account. We did use the same credit card, same address and share the same last name.

We don't share our medical histories and if one of us wanted to know we would ask the other. The only reason she was even with LSH is because I was a customer first and found it easy to deal with.

LSH is refusing to answer questions about who all accessed the records, and who else they were shared with.

 

[brisket]

Yes it makes sense for sure. It just seems like this is always violated the few times I've been in the er with my husband. Sometimes the nurse will ask if it's okay to speak in front of me but there's been times they just talk and don't ask permission.

I had the opposite in the ER, they gave anything to my wife, which honestly I would have been fine with.

Same as @chmuse said .. as someone who has to abide HIPAA laws for work and had also worked extensively with medical records, it's genuine curiosity on where their process failed. Obviously they are wrong and something failed, I'd just like to understand how.

Did this employee download the records and attach the wrong file to the email? Did they use a "send direct to patient" option and enter the wrong email address? Were the names similar? Did they not verify a secondary identifier like DOB?

Like, what happened? Lol. Most of my experience is with Epic, which I am pretty sure they're not using, otherwise we'd all just have a portal to access and wouldn't need to ask for records to be supplied manually. So somewhere, for some reason, an employee had to take all these deliberate steps to send a medical record, and during one of those steps, hit the wrong button or entered the wrong information.

I'm just curious what happened.

We have the same mailing address, used the same credit card and have the same last name. Thats all I got for you. It failed at reckless human behavior, and a lack of security controls. Epic would have been far safer.

They can if you sign forms giving them permission.

That's the thing, if they looked it up by address/ phone number and two charts popped up, they absolutely should have asked further questions instead of just.... Giving @brisket both charts? That's incredibly stupid.

No permission was given either way. Had to be look up via address, credit card or last name? but we dont have that uncommon of a last name ... so that is even scarier.

I didn't even realize your spouse couldn't see your medical records.

That requires explicit written consent, which wasn't here.

 

[MiniatureSnail]

I requested my records and closure of my account. They sent me both my wife and my records and closed both of our accounts.

JFC. Well, I got nothin'. They suck. I hope that was person's very first day, because otherwise, that is gross negligence and lack of attention to detail. Sorry that happened to you.

 

[brisket]

JFC. Well, I got nothin'. They suck. I hope that was person's very first day, because otherwise, that is gross negligence and lack of attention to detail. Sorry that happened to you.

It was the patient support manager, as they were fumbling another issue and I decided to discontinue my service with them. My wife was planning to stay with them.

 

[chmuse]

I'm so sorry this happened to you guys. If you're both leaving them anyway I'd definitely file a HIPAA complaint.

 

[brisket]

I'm so sorry this happened to you guys. If you're both leaving them anyway I'd definitely file a HIPAA complaint.

I filed one. My wife is unwillingly leaving as they closed her account when I left. Almost sounds like retaliation, but I couldn't imagine that really.

 

[chmuse]

I filed one. My wife is unwillingly leaving as they closed her account when I left. Almost sounds like retaliation, but I couldn't imagine that really.

Compounding is unlikely to last long, anyway. You guys will save a fortune if you both go grey.

 

[Vicki]

I had the opposite in the ER, they gave anything to my wife, which honestly I would have been fine with.


We have the same mailing address, used the same credit card and have the same last name. Thats all I got for you. It failed at reckless human behavior, and a lack of security controls. Epic would have been far safer.


No permission was given either way. Had to be look up via address, credit card or last name? but we dont have that uncommon of a last name ... so that is even scarier.


That requires explicit written consent, which wasn't here.

Is this only for past records? I'm wondering cause what if its an emergency and your spouse is unconscious? Is the ER staff allowed to tell you how they got to that state? This is why I always thought just being married was considered consent

 

[MiniatureSnail]

Is this only for past records? I'm wondering cause what if its an emergency and your spouse is unconscious? Is the ER staff allowed to tell you how they got to that state? This is why I always thought just being married was considered consent

If you're listed as their emergency contact, then yes. If not, then they are not supposed to. That's why people have PoA and Advanced Directives, that give your spouse specific rights/privileges. They're not inherent just by being married.

 

[chmuse]

If you're listed as their emergency contact, then yes. If not, then they are not supposed to. That's why people have PoA and Advanced Directives, that give your spouse specific rights/privileges. They're not inherent just by being married.

Unless it's for permission to bill your insurance and you're unconscious. We'll 100% take their signature then. We won't tell them you're here because you got in a drunken fist fight, though. We'll just say you're unable to sign at this time.

Edit: this does also assume you came in with them, or have them listed as your econ. We're not going to Google who your spouse is.