When the Identity System Fails

The Vancouver, Washington case — and why health care needs a recovery loop as visible as a lost suitcase 

When an airline loses a suitcase, the passenger may know where it is. 

The airline’s system may show a bag tag. The barcode may show a scan. An RFID read may show the last custody point. And now, increasingly, an AirTag or other tracker may show the passenger that the bag is sitting in another terminal, another airport, or another city. 

Airlines have not solved baggage failure by pretending the barcode is enough. They have built more recovery signals around it. 

IATA Resolution 753 requires member airlines to track baggage at four core points: handover from the passenger, loading onto the aircraft, delivery to the transfer area, and return to the passenger. The purpose is not just tracking. It is a verifiable audit trail for acquisition and handover of bags. (IATA) Delta has gone further by using RFID bag tags, read by scanners throughout the journey, with passengers receiving real-time updates in the Fly Delta app; Delta reports a 99.9% success rate for tracked bags using its RFID technology. (Delta Professional


Then came the consumer signal: AirTags. 

Apple’s Share Item Location feature allows a traveler to share the location of an AirTag or Find My accessory with a third party, including airlines. Apple said more than 15 airlines would begin accepting those item locations as part of their customer service process for delayed or mishandled bags, and Air Canada now allows customers to paste a Find My location link into the delayed bag form. (Apple) (Air Canada Tips for Travellers

This is an important evolution. 

Airlines did not say, “The customer’s tracker is outside our system, so we cannot use it.” 

They said, in effect: “If the system has failed, and the passenger has a signal that helps us recover, we should bring that signal into the recovery process.” 

Now compare that with patient identity. 

When a hospital’s identity process fails, the consequences are not a missing suitcase, a delayed trip, or a reimbursement claim. 

The consequences can move through medication orders, blood work, imaging, consent, clinical decisions, family communication, organ donation, end-of-life discussions, and death. 

That is what makes the Vancouver, Washington case so difficult to read. 

According to reporting based on court documents, David Wells arrived at PeaceHealth Southwest Medical Center in Vancouver, Washington, in August 2021 after choking on food and becoming unconscious. He was reportedly misidentified as his roommate, Michael Beehler. The hospital contacted Beehler’s family about end-of-life decisions, and Wells died after life support was withdrawn. The Clark County Medical Examiner later used fingerprints to confirm that the body was Wells, not Beehler. (People.com

The Washington Department of Health later investigated and, according to People’s reporting, found multiple violations related to patient identification processes. The reported findings included failures to ensure staff were trained to verify patient identification, failures of supervision around that verification, and failure to have a reliable method to identify each patient presenting for care. (People.com

The human tragedy is obvious. 

But the safety lesson is deeper. 

This was not simply a “wristband problem.” It was not simply a “staff problem.” It was not simply a “communication problem.” 

It was an identity system failure. 

And the question every health system should ask is not only: How did the wrong identity enter the system?

The harder question is: Once uncertainty entered the system, why did the system not stop, escalate, reconcile, and recover?


The wristband is not the identity

The wristband is often treated as the physical proof that the system knows who the patient is. 

But the wristband itself is not the patient’s identity. 

The US Joint Commission makes this distinction clearly: an armband is not, by itself, a patient identifier. It is a medium where patient identification information may be located. If armbands are used, they must be attached to the patient, not placed on a bedside table or taped to the bed. (Joint Commission International

That distinction matters. 

  • A barcode can tell the system that something was scanned. 

  • A wristband can present information. 

  • A patient can state their name and date of birth. 

  • A family member can confirm identity. 

  • A photograph, biometric check, registration record, prior encounter, or temporary identifier can support the process. 

But none of those signals should be treated as perfect on its own. 

The safety system is not the wristband. 

The safety system is the process that confirms, challenges, reconciles, and escalates identity when something does not fit.


Health care has standards — but the failure loop is still too local

It would be wrong to say health care has no patient identification standards. 

The US Joint Commission’s National Performance Goal #1, “Right Patient, Right Care,” states that ensuring the correct patient receives the correct care at the correct time is foundational to patient safety and is everyone’s responsibility in health care. (Joint Commission International) Hospitals are expected to have processes to correctly identify patients when providing care, treatment, and services, along with processes for handoffs, pre-procedure verification, site marking, and time-outs. (Joint Commission International

WHO guidance also emphasizes two identifiers, clear protocols for patients who lack identification, non-verbal approaches for comatose or confused patients, and patient participation in all stages of the identification process. It also specifically names technologies such as barcoding, RFID, and biometrics as possible supports for reducing identification errors. 

So the issue is not that health care lacks rules. 

The issue is that the failure recovery loop is often less visible, less standardized, and less patient-facing than it needs to be. 

The US Joint Commission notes that for non-communicative or confused patients, each organization determines what process will be used to safely identify the individual, and that expectations must be clearly communicated to staff and based on safety, not workflow convenience. It also notes that under some circumstances, such as an injured and unresponsive emergency department patient, a temporary name and medical record number may be assigned, with formal identification occurring as soon as possible. (Joint Commission International

That local flexibility is necessary. Hospitals are complex. Emergency care is unpredictable. Not every patient can speak. Not every patient arrives with identification. Not every registration record is clean. 

But local flexibility also creates risk. 

If the identity process is mostly internal, mostly local, and mostly invisible to the patient and family, the system may not generate a clear “identity uncertainty” signal until harm has already occurred. 

In baggage, an exception becomes a case. 

In health care, an identity exception must become a safety event. 


What aviation has learned about failure

The aviation comparison is not perfect. Bags are not patients. Baggage delays are not clinical harm. A suitcase does not require consent, medication, blood products, imaging, diagnosis, or end-of-life decisions. 

But aviation has learned something health care should take seriously: 

A barcode is not enough when custody changes, handoffs multiply, and failure is predictable.

That is why the baggage process has evolved from a simple tag to a tracking system. IATA’s model is built around defined custody points and a verifiable audit trail. Delta’s RFID model adds automated reads at multiple points in the journey. AirTags add an independent passenger-owned signal that can be shared back into the airline’s recovery process. (IATA) (Delta Professional) (Apple

The lesson is not that patients need AirTags. 

The lesson is that mature systems expect failure and design recovery around it. 

They ask: 

  • Where was the last confirmed identity event? 

  • Who accepted custody? 

  • What changed hands? 

  • Where did the mismatch occur? 

  • What outside signal could help us recover? 

  • What exception should have stopped the process? 

  • What audit trail will help prevent the next failure? 

Now translate those questions into health care. 

  • When a wristband is missing from the wrist, who knows? 

  • When a barcode does not scan, is that treated as a technical inconvenience or an identity safety signal? 

  • When a nurse prints a replacement band, is that logged as routine administration or as a possible failure point or neither? 

  • When a patient is transferred, does identity move with the same rigor as medication reconciliation? 

  • When an unconscious patient arrives by ambulance, what process confirms identity before family contact, consent, or end-of-life decisions? 

  • When staff rely on a verbal confirmation, what happens if the patient is confused, sedated, frightened, cognitively impaired, or simply trying to be agreeable? 

And when the system discovers that identity was wrong, how far back does it trace the error? 


The dangerous comfort of trust

There is another difference between airlines and hospitals. 

Passengers do not fully trust airlines with luggage. 

That may sound harsh, but it is true. Many travelers now place their own tracker in their bag because they believe the airline’s system may fail. They want an independent signal, me included. It provides a great sense of assurance knowing where my bag was last identified. 

Patients, by contrast, often trust the health system more than they trust themselves. 

  • They assume the hospital knows who they are. 

  • They assume the wristband is correct. 

  • They assume the scan worked. 

  • They assume the medication is theirs. Have you ever asked to verify the medication given? 

  • They assume the label on the specimen tube is right. 

  • They assume the person asking them to confirm their date of birth is following a reliable process. 

In many cases, patients are also too sick, too frightened, too sedated, too young, too elderly, too deferential, or too overwhelmed to question the system. 

That trust is understandable. It is also dangerous if the system quietly depends on passive patients. 

WHO’s patient identification guidance specifically encourages patients and families to verify identifying information, ask patients to identify themselves before medications or interventions, and encourage patients, families, and surrogates to be active participants in identification, raise concerns, and ask questions about whether care is correct. 

But that cannot become a transfer of responsibility. 

A passenger with an AirTag is not responsible for running the airline’s baggage system. 

A patient who speaks up is not responsible for running the hospital’s identity system. 

The system remains responsible. 

The patient and family are an additional signal, not the safety net. 


What should happen when identity fails?

  • A hospital identity system should have a visible recovery loop. 

  • Not a vague instruction to “check two identifiers.” 

  • Not a silent workaround when the scanning process fails. 

  • Not a replacement band printed without scrutiny or not attached to the patient's wrist. 

  • Not a verbal confirmation accepted because the unit is busy. 

A real recovery loop would treat identity uncertainty as a condition that requires escalation. 

It would include at least five steps. 

First: detect the failure. A failed scan, missing attached patient wristband, damaged band, unreadable barcode, reprinted wristband, temporary ID, mismatch between verbal confirmation and record, or patient unable to participate should not disappear into workflow. Each should create a signal. 

Second: pause the downstream process. Identity uncertainty should stop non-emergency care until reconciled. In an emergency, life-saving treatment continues, but the patient should remain in an identity-uncertain state until formal reconciliation occurs. 

Third: escalate to a defined owner. The burden should not fall on the individual nurse, clerk, transporter, or physician to invent a fix. There should be a defined pathway: charge nurse, registration lead, clinical supervisor, patient safety, or command center, depending on severity. 

Fourth: reconcile using multiple independent signals. The system should use available records, family or surrogate confirmation, prior encounter data, photographs where appropriate, ambulance information, government ID, biometrics where available, and clinical context. The point is not to collect more data for its own sake. The point is to avoid letting one wrong assumption become the source of truth. 

Fifth: leave an audit trail. The organization should be able to look back and see when identity became uncertain, who knew, what was done, how it was resolved, what care occurred during uncertainty, and whether any downstream records, orders, labels, results, or communications require correction. 

This is where health care can borrow from aviation without oversimplifying the comparison. 

Baggage tracking is not just about knowing where a bag is. 

It is about knowing where the chain of custody changed. 

Patient identification needs the same discipline. 

Not because patients are luggage. 

Because patients are infinitely more important. 


Vancouver should change the question

After a tragedy like the Vancouver case, it is tempting to ask, “Who made the mistake?” 

That question matters, but it is not enough. 

A better question is: 

How many chances did the system have to notice that identity was uncertain — and what did it do with each chance?

  • The patient arrived unconscious. 

  • The identity attached to him was reportedly wrong. 

  • The wrong family was contacted. 

  • End-of-life decisions were made through that wrong identity. 

  • The body was later identified through fingerprints. 

The true family’s understanding of what happened came much later. 

Each step shows how identity can become embedded into the system and then travel downstream as if it were true. 

That is the real danger. 

Once a wrong identity is accepted, every subsequent process can become “correct” according to the record and still be wrong for the person. 

  • The medication can match the chart. 

  • The family call can match the chart. 

  • The consent discussion can match the chart. 

  • The end-of-life decision can match the chart. 

But if the chart is attached to the wrong human being, the system is not safe. 


From barcode to behaviour

This series is called Patient Identity & Safety: From Barcode to Behaviour for a reason. 

The barcode matters. 

The wristband matters. 

RFID, biometrics, digital tokens, and onboarding workflows may all matter. 

But identity safety is ultimately behavioural and systemic. 

  • It lives in what staff do when the scan fails. 

  • It lives in whether a workaround is treated as normal or risky. 

  • It lives in whether a missing wristband is a minor inconvenience or an identity exception. 

  • It lives in whether patients and families are invited to speak up without feeling difficult. 

  • It lives in whether hospitals audit identity failure before it becomes harm. 

And it lives in whether the organization is willing to say: 

“We do not know with enough confidence who this patient is yet.” 

That sentence should not be seen as failure. 

It should be seen as the beginning of safety. 

Because the most dangerous identity failure is not the moment the system is uncertain. 

It is the moment the system is uncertain but continues as if it is sure. 


The call to action

Health care does not need to copy airlines. 

It needs to learn from the way mature operational systems think about failure. 

Airlines moved beyond the barcode because the barcode alone could not answer every recovery question. RFID created richer custody points. Passenger trackers created another signal. Airline workflows are now beginning to accept that passenger-provided signal when the internal system does not know enough. 

Health care should ask the same question: 

When the patient identity system fails, what signal do we accept, who owns the recovery, and how do we know the failure was fixed?

The Vancouver case is a tragedy. 

It should also be a turning point. 

Not toward blaming patients. 

Not toward blaming frontline staff. 

Not toward believing that one more technology will solve the problem by itself. 

But toward building a patient identity recovery loop that is visible, auditable, and strong enough to stop uncertainty before it becomes harm. 

Because in health care, the question is not whether the wristband scanned. 

The question is whether the system truly knows who is in front of it. 


About Medirex Systems Inc.

Medirex Systems Inc. (Medirex) is a Canadian-owned and operated business connecting patients to health information systems. Being an industry leader for over 50 years, Medirex has evolved to bridge the gap between patient identification and engagement by cultivating patient connections with ease, security, and no errors. Providing a positive patient identification experience for over 10 million Canadians, Medirex adopts technologies ensuring that the patient has a voice in their healthcare journey. Medirex aids in the adoption of digital health resources and data to improve the patient experience for your healthcare organization.

Media Contact:

Medirex Communications
Medirex Systems Inc.
+1.416.363.9313
info@medirex.com

Previous
Previous

The Patient as the Missing Identity Factor 

Next
Next

When the Wristband Leaves the Wrist What happens when scanning fails — and who fills the gap?