Share this article on:
A business associate of the Texas Health Harris Methodist Fort Worth hospital has caused one of the biggest HIPAA breaches to date and the largest exposure of patient PHI to occur this year. This is the third major data security breach to affect Texas Health hospitals.
In accordance with HIPAA Breach Notification Rules, the hospital is now in the process of notifying all 277,000 of its patients to inform them of the breach. Victims of data breaches must be allowed the opportunity to take the necessary precautions to prevent losses or damage being suffered as a result of PHI disclosed.
The data exposed includes medical health information and personal identifiers such as patient names, dates of birth, telephone numbers, home addresses, medical record IDs, clinical information and health insurance details. Some Social Security numbers were also present in the data.
The transfer of Electronic PHI from HIPAA-covered institutions to their business associates is a security risk which should be identified as part of the Risk Analysis which must be undertaken to comply with HIPAA regulations. Any time that access to PHI must be provided to a business associate, there is considerable potential for a security breach to occur, and policies should be adopted by healthcare entities to minimize or eliminate that risk.
In the case of Texas Health, the HIPAA breach did not involve ePHI. The data was stored on microfilms which had been sent to a third party to be destroyed; however a number of the films were found by the public in various locations around the city.
According to Texas Health Fort Worth officials, the data on the microfilms was sent to a company called “Shred-it”. The hospital alleges that the company failed to fulfill the terms of this contract as a portion of microfilm was found by a member of the public in a park. Since that first discovery, a further three microfilms have been recovered.
While the data breach potentially exposed 277,000 patient records, the hospital has no reason to believe that the data was accessed or viewed by unauthorized personnel. In order to read microfilm someone would require special equipment and a hospital spokesperson confirmed that microfilm cannot be read like an x-ray or photo negative by holding it up to a light source. The data on the microfilms relates to patients treated between 1980 and 1990.
Letters were sent on July 11 to all patients affected to alert them to the breach. An apology was issued for any inconvenience caused and correspondence also informed patients that the data disposal company it uses has now been changed. Shred-it reportedly has confirmed that all remaining microfilm data in its possession has now been destroyed.