Share this article on:
A bizarre report has been released this week on the theft of confidential patient records from a physician in New Jersey. The theft has potentially exposed the medical records of approximately 40,000 patients to unknown individuals.
The patient records belonged to Dr. Nisar A. Quraishi, an internal medicine specialist and assistant professor of medicine at the NYU Langone Trinity Center in New York, who was storing the PHI in a shed at his office storage facility.
The theft was noticed on Tuesday October 21, although the actual date of the theft remains unknown. Dr. Quraishi last visited his storage facility in August this year, and after leaving ensured that the shed was secured with two padlocks. This week, on his return to the shed, he discovered that both latches had been cut and on entering the shed he noticed that all of his patient records had been stolen.
Dr. Quraishi was unable to provide the authorities with any details of the persons affected, only that the documents related to patients treated between 1982 and 2009, some of whom were possibly still being treated by the doctor. The data contained Social Security numbers, dates of birth, medical histories and patient contact information; including home addresses.
The shed was located on the first floor of a gutted building with exposed beams and no carpets according to the police report. Apart from the shed, it was an apparently unused, empty space. Residents close to the location were unaware that there had been a break in, although the doctor was notified by one resident who noticed that the locks were broken. The facility had no CCTV cameras or other security measures and there were no witnesses to the actual break in according to the police.
Under HIPAA regulations, PHI must be stored securely and physical, technical and administrative safeguards need to be put in place to prevent unauthorized access and use of the data. The shed was locked, but the location of the files and whether sufficient measures had been put in place to prevent the theft of the data are questions likely to be raised by the Office for Civil Rights.
Criminals are able to commit fraud with minimal patient health data and contact information, and if the doctor’s records are used by the thieves, patients may suffer financial losses and harm. For the theft to be considered a HIPAA breach, data relating to medical treatment, medical history and treatments must have been viewed, which appears to be the case with this theft.
Patients wishing to take legal action for losses suffered as a result of a data breach are not guaranteed damages. Recently, a HIPAA breach case was heard by a Californian Court which ruled that healthcare organizations are not liable under the Confidentiality of Medical Information Act (CMIA) for losses suffered as a result of a security breach; however, the Office for Civil Rights may decide that a financial penalty is applicable under the circumstances.