HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

40,000-Record Healthcare Database Stolen from Storage Shed in New Jersey

A bizarre report has been released this week on the theft of confidential patient records from a physician in New Jersey. The theft has potentially exposed the medical records of approximately 40,000 patients to unknown individuals.

The patient records belonged to Dr. Nisar A. Quraishi, an internal medicine specialist and assistant professor of medicine at the NYU Langone Trinity Center in New York, who was storing the PHI in a shed at his office storage facility.

The theft was noticed on Tuesday October 21, although the actual date of the theft remains unknown. Dr. Quraishi last visited his storage facility in August this year, and after leaving ensured that the shed was secured with two padlocks. This week, on his return to the shed, he discovered that both latches had been cut and on entering the shed he noticed that all of his patient records had been stolen.

Dr. Quraishi was unable to provide the authorities with any details of the persons affected, only that the documents related to patients treated between 1982 and 2009, some of whom were possibly still being treated by the doctor. The data contained Social Security numbers, dates of birth, medical histories and patient contact information; including home addresses.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The shed was located on the first floor of a gutted building with exposed beams and no carpets according to the police report. Apart from the shed, it was an apparently unused, empty space. Residents close to the location were unaware that there had been a break in, although the doctor was notified by one resident who noticed that the locks were broken. The facility had no CCTV cameras or other security measures and there were no witnesses to the actual break in according to the police.

Under HIPAA regulations, PHI must be stored securely and physical, technical and administrative safeguards need to be put in place to prevent unauthorized access and use of the data. The shed was locked, but the location of the files and whether sufficient measures had been put in place to prevent the theft of the data are questions likely to be raised by the Office for Civil Rights.

Criminals are able to commit fraud with minimal patient health data and contact information, and if the doctor’s records are used by the thieves, patients may suffer financial losses and harm. For the theft to be considered a HIPAA breach, data relating to medical treatment, medical history and treatments must have been viewed, which appears to be the case with this theft.

Patients wishing to take legal action for losses suffered as a result of a data breach are not guaranteed damages. Recently, a HIPAA breach case was heard by a Californian Court which ruled that healthcare organizations are not liable under the Confidentiality of Medical Information Act (CMIA) for losses suffered as a result of a security breach; however, the Office for Civil Rights may decide that a financial penalty is applicable under the circumstances.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.