Dedicated to providing the latest
HIPAA compliance news

Texas Health and Human Services Commission Notifies 600 of PHI Exposure

Share this article on:

A storage contractor has informed the Texas Health and Human Services Commission (HHSC) that 15 storage boxes have been discovered to be missing. The boxes were stored at three Iron Mountain facilities in Dallas, Fort Worth, and Irving.

The boxes contained files relating to individuals who had applied to HHSC for medical assistance between January 1, 2008 and August 31, 2009. The files contained names, addresses, dates of birth, Social Security numbers, Social Security claim numbers, bank account numbers, Medicaid/individual numbers, and medical record numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 600 individuals were affected.

Iron Mountain was contracted by HHSC to store boxes of client files prior to the records being permanently destroyed. HHSC is now conducting an investigation into Iron Mountain’s handling of the files and to determine how the boxes were lost. Once the investigation has concluded, HHSC will revise its policies and procedures to reduce the probability of similar incidents occurring in the future.

When boxes of old files are lost or stolen it can be difficult to identify the individuals affected. When records do exist, contact information may be out of date making it difficult to alert patients. In this case, HHSC has posted a breach notice on its website to advise individuals of the loss of their files. Individuals who believe that their case information has been lost have been offered a year of credit monitoring services without charge.

This is not the first time that Iron Mountain has been implicated in a breach of protected health information. In 2013, employees of Iron Mountain were suspected of stealing x-ray films to recover the silver. 742 boxes of x-rays were discovered to be missing and two employees were implicated. In total 49,714 patients of Orthopaedic Specialty Institute Medical Group were affected.

In the same year, a similar breach was reported which impacted 10,000 patients of Long Beach Internal Medical Group and the Hand Care Center and the Shoulder and Elbow Institute also reported a breach involving the theft of x-ray jackets from Iron Mountain Record Management facilities. These thefts were attributed to rogue employees at the firm.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On