Community Mercy Health Partners Notifies Patients of November Data Breach

In late November, a member of the public discovered a number of documents at a recycling center that appeared to have come from hospitals run by Community Mercy Health Partners.

The documents contained detailed information about patients who had received medical services between 2005-2013. The information in the documents included patient names, accession numbers, guarantor information, types of study they were involved in, medical diagnoses, health insurance details, physician names, as well as driver’s license details, Social Security numbers, and some clinical information.

LeRoy Clouser discovered the files in a number of dumpsters and alerted the Springfield Police of his find. Community Mercy Health Partners was subsequently advised by law enforcement officers about the dumped records and sent staff to retrieve the documents. The matter was reported in the media at the time, although it has taken some time for an investigation to be conducted and for all patients to be identified. That investigation is now complete and patients started being notified of the data breach on January 25.

The investigation revealed that the records related to patients who had received treatment at Springfield Regional Medical Center and Mercy Memorial Hospital. The records did not come directly from either, but had been improperly disposed of by a HIPAA Business Associate of Community Mercy Health Partners on November 25, 2015. All documents are understood to have been recovered from the dumpsters and are now secured.

However, it is not possible to determine whether any of the documents were removed by members of the public or had been viewed by unauthorized individuals. Patients have therefore been advised to check their health insurance Explanation of Benefits statements closely for any suspicious entries.

To prevent future privacy breaches such as this from occurring in the future, Community Mercy Health Partners has “re-educated our facilities management contractors on the requirements for physical storage relocation projects.”

Additional measures have also been taken to prevent future breaches, such as performing a re-inventory of document storage locations as well as ensuring paper records are only kept when strictly necessary, such as when electronic data is not available.

At the time of writing it is still unclear how many patients were affected by the breach. The initial breach report indicated “thousands” of records had been improperly dumped. It will not be known how many individuals have been affected until the breach report appears in the Office for Civil Rights breach portal.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.