480,000 Patients Notified of Radiology Regional Center PHI Exposure
In December, Radiology Regional Center, PA., was alerted to a privacy breach by Lee County Solid Waste Division following the accidental release of medical documents in the street.
The privacy breach occurred on December 19, 2015. Medical documents were being transported by Lee County Solid Waste Division for secure disposal. The paper files were due to be incinerated in accordance with Health Insurance Portability and Accountability Act Rules, but were accidentally released during transportation.
The failure to secure the records resulted in them falling off the vehicle used to transport them. The documents containing highly sensitive medical data were strewn across the street and found their way into doorways, driveways, canals, and were blown all over the sidewalk.
Patients Have Now Been Notified of the Privacy Breach
Patients were notified of the breach of their private and confidential medical data on February 12, 2016, the same date that Office for Civil Rights received a HIPAA data breach report. Initially it was unclear exactly how many patients had been affected.
According to the OCR data breach report, 483,063 patients are believed to have been affected, making this the largest HIPAA data breach reported this year, and the largest healthcare data breach to be discovered since the 10,000,000-record Excellus Health Plan breach uncovered in September 2015.
When Radiology Regional Center was alerted to the privacy breach, action was rapidly taken to try to recover the missing records. The healthcare provider organized a foot search, with more than a dozen employees combing the area around Fowler Street in Fort Myers, FL., where the records had been released. Two further searchers were organized on December 21 and 22.
According to the company’s breach notice, Radiology Regional Center believes virtually all of the dumped records have now been recovered. That said, it was not possible to determine whether some documents were lost or picked up by members of the public. As such there is a risk that some of the information contained in the documents has been viewed by unauthorized individuals, or even used inappropriately.
Because of the potential disclosure of PHI, patients may be at risk of identity theft and fraud. The data contained in the documents included the exact types of information criminals need in order to steal identities and commit various types of fraud.
The documents contained the names of patients, their dates of birth, Social Security numbers, health insurance details, financial information, addresses and contact phone numbers, as well as health information, medical statuses, and assessment information. Patients affected by the breach had visited Radiology Regional Center between 2005 and 2012.
All affected individuals have been offered credit monitoring services and have been advised to place 90-day credit alerts on their files in case any individual attempts to use their data inappropriately. Since health insurance information was also exposed, patients have been advised to monitor their Explanation of Benefits statements carefully and report any suspicious entries.