6 Healthcare Organizations Discover PHI Has Potentially Been Compromised

Six possible data breaches have been reported by healthcare organizations in the past few days that may have resulted in an impermissible disclosure of patient data. 8,701 patients are known to have been affected by the breaches.

Harris Health System Notifies Patients About Potential Privacy Breach

Houston, TX-based Harris Health System has notified 2,298 patients that some of their protected health information (PHI) has been exposed.

On December 30, 2019, two envelopes were sent to Ben Taub Hospital to be scanned and archived in the Harris Health electronic medical record system, but the envelopes were lost in transit.

The envelopes contained 143 sheets which are believed to include data from patients who visited Gulfgate Health Center for medical services between December 9, 2019 and December 27, 2019. The sheets contained information such as names, dates of birth, addresses, telephone numbers, test results, diagnoses, health insurance information, medical information, provider information, and Social Security numbers.

Since it was not possible to determine which patients were affected, the decision was taken to notify all patients who potentially had their PHI exposed. Harris Health System’s chief compliance and risk officer, Carolynn R. Jones, believes the envelopes contained the PHI of approximately 25 patients.

The employee tasked with transporting the information has been sanctioned and policies and procedures for transporting patient data have been reviewed and revised to prevent similar incidents in the future. All individuals potentially affected have been offered complimentary membership to credit monitoring services for one year.

Kaiser Permanente Alerts Patients About Mailing Error

Kaiser Permanente has discovered letters have accidentally been mailed to patients’ former addresses. Kaiser Permanente had embarked on a project to improve mailing addresses for correspondence with members in Southern California. An error was identified on November 1, 2019 that caused the letters to be sent to incorrect addresses. An investigation revealed the error was introduced on October 6, 2019. Addresses were corrected on December 20, 2019.

The mailings sent during that period included referral letters, surveys, care reminders, appointment reminders, and Explanation of Benefits statements. Those letters contained demographic information, details of medications, diagnoses, billing information, and health insurance information. No Social Security numbers or financial information was exposed.

Kaiser Permanente has provided additional training to the staff to prevent further errors in the future. Letters have now been resent to the correct addresses. The HHS’ Office for Civil Rights (OCR) breach portal indicates up to 500 patients may have been affected.

Backup Drive Containing ePHI Stolen from Elk Ridge Dentistry

The Estes Park, CO dentist practice, Elf Ridge Dentistry, has discovered a portable hard drive used to store backups was stolen from the practice.  The hard drive was among several items taken from the practice. The incident was reported to law enforcement, but the hard drive has not been recovered.

The dental practice learned on January 31, 2020 that the hard drive contained the records of 2,793 patients and included names, addresses, dates of birth, healthcare information, X-ray images, and a limited number of Social Security numbers. Treatment consent forms, referral letters, and emails were also backed up on the device. All affected patients have been offered complimentary membership to identity theft protection services through ID Experts.

PHI Potentially Compromised in Break-in at Armada Physical Therapy

Armada Physical Therapy experienced a break-in around December 19, 2019 at its Menaul Clinic on Menaul Boulevard in Albuquerque, NM and a server was stolen. The theft was reported to law enforcement and the investigation is ongoing, but the stolen server has not been recovered.

It was not possible to determine the exact information stored on the server, but it was known to contain intake forms for patients who received treatment prior to December 4, 2017. Patients who received treatment after that date had their information stored in a different location.

The intake forms contained names, addresses, telephone numbers, email addresses, insurance numbers, and Social Security numbers. Armada Physical Therapy does not believe financial information was stored on the stolen server. It was not possible to determine exactly how many patients were affected by the breach. The breach report submitted to the HHS’ Office for Civil Rights indicates up to 500 patients may have been affected.

Mailing Vendor Error Discovered by Riverview Health

An error at a printing and mailing vendor used by the Noblesville, IN-based healthcare provider, Riverview Health, has resulted in the exposure of the names of 2,610 patients.

The mailing vendor was instructed to send patient notification letters advising them about a potential change to two primary care providers, but an error resulted in letters being sent to incorrect addresses on January 6, 2020. Riverview learned of the error on January 14, 2020.

The letters identified individuals as patients of one of the two Riverview Health primary care providers. No other information was compromised.

Steps have now been taken to prevent similar errors from occurring in the future, including the addition of further review methods prior to the mailing of patient notification letters.

Mental Health Records Found Abandoned in Chicago Street

Physical medical records from the Community Mental Health Council have been found abandoned in an alley in West Englewood, Chicago. The Community Mental Health Council permanently closed its clinics after funding was lost in 2012.

Hundreds of former patients have had their sensitive data exposed. The documents included the names, addresses, Social Security numbers, diagnosis information, medical records, and other sensitive information. They were found strewn across an alley off Hermitage Avenue by a local resident when she took out her trash. City officials were contacted, and the records have now been collected and secured. City officials are now trying to determine who was responsible for dumping the records.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.