21-Day Quarantine; Forced to Work Sick? Data Breaches Sweep Healthcare

Welcome to the latest edition of Investigative Roundup, highlighting some of the best investigative reporting on healthcare each week.

Hong Kong’s Zero-COVID Approach

A ProPublica reporter visiting family laid out what it took for a city of 7.5 million to keep COVID-19 at bay.

Caroline Chen travelled to Hong Kong for the holiday and underwent a battery of precautionary measures, consistent with its “zero infection policy.” As a result, the city has only endured 213 COVID deaths, compared to New York’s 35,500 in a city of 8.5 million.

Chen had to present proof of a negative COVID test pre-flight, hotel booking, vaccination, and Hong Kong residency. She took a COVID test at the airport, then was transported by van into an immediate 21-day quarantine at a hotel, where leaving the room just once could result in a $25,000 fine and 6 months in prison. She was tested seven times at the hotel, and even the trash had to be discarded in a specific way. Her meals were provided, and finally she was allowed to leave.

Chen noted that throughout the pandemic, experts considered Hong Kong’s strident measures to be excessive, citing the window of transmission that was likely much shorter than 21 days. But with such strict rules, and universal masking both indoors and out, the country had managed to avoid the worst of the pandemic.

“The community-minded and prevention-oriented attitude of Hong Kong citizens is one that Americans could benefit from,” Chen wrote, “Yet Hong Kong is losing talent and business due to its strict approach.” Nevertheless, her family could move around the city and celebrate with certainty that no one would be infected.

Hospital Staff Shortages Push the Infected to Work

Recent CDC guideline changes allow asymptomatic healthcare workers who test positive for COVID-19 to return to work after isolating for 5 days instead of 10, and without a negative test. A number of hospitals are acquiescing to the pressure — yet staying within the CDC guidelines — under an unprecedented Omicron surge, Politico reported.

Workers and some nurses’ unions are concerned about the move, calling it unsafe — especially for immunocompromised and cancer patients.

“It feels extremely irresponsible because you’re asking us to work sick,” one ICU nurse, Jennifer Caldwell of Kansas City’s Research Medical Center, told Politico. “The science shows that just because you’re asymptomatic doesn’t mean that you’re not infectious.”

Some health officials say that the staffing shortages leave them no choice, and that testing workers before they return would only exacerbate the strain.

“We have long lines outside of our testing clinic for patients and families, and if I had to disproportionately keep testing my employees to bring them back to work, that would compromise access to testing for the community,” Shereef Elnahal, the CEO of University Hospital in Newark, New Jersey, told Politico.

The CDC doesn’t require health providers to tell patients whether they’ve been in close contact with an infected worker for more than 15 minutes, and hospitals did not say whether they’d implemented policies to inform patients of this kind of contact. HHS data showed that the number of hospitals voluntarily reporting “critical” staff shortages ballooned from 165 to 1,118 since Thanksgiving.

Data Breaches Sweep Healthcare Services

Hackers are targeting healthcare facilities and companies with an alarming frequency, according to news reports and announcements from organizations themselves.

The HHS Office for Civil Rights (OCR) reported more than 550 breaches in 2021 alone, exposing the protected health information of at least 40 million people.

Broward Health, a system based in Florida encompassing more than 30 healthcare locations, endured a cyber attack in October that could have affected the data of 1.3 million patients and staff. A January 1 statement from Broward said the information included “name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information including history, condition, treatment and diagnosis, medical record number, driver’s license number and email address.”

Ciox Health also revealed that an unauthorized user had accessed email accounts and downloaded health information this way, including much of the same information as the Broward Health breach, although it wrote in a statement that the intruder accessed an email account with “treatment information of a very limited number of individuals.” Ciox Health listed more than 30 healthcare locations and 12,493 individuals affected.

Capital Region Medical Center, based in Missouri, reported unusual activity in their phone system and had a phone outage in December. Saltzer Health, based in Idaho and part of Intermountain Healthcare, also began notifying affected individuals on January 3 of an email account breach at the end of May. MedQuest Pharmacy, also based in Florida, reported a data breach at the end of December that it had detected in November, which affected more than 39,000 individuals.

Loyola University Medical Center, a member of Trinity Health, reported an email breach to HHS on December 30, and said that information from almost 17,000 patients was potentially exposed. The Medical Review Institute of America was hit with a cyber attack in November and reported on January 7, and an August cyberattack on Rhode Island Public Transit Authority (RIPTA) exposed thousands of its health plan members’ data.