Share this article on:
When the Raleigh Orthopedic Clinic arranged for its X-ray films to be modernized and transferred to digital media, the healthcare organization naturally sought external assistance. A third party vendor was located that could offer the service and the X-ray films were sent for conversion.
The contract was arranged in January of this year and the films were dispatched; however when the clinic failed to receive the electronic copies of the data suspicions were aroused. An investigation was conducted into the matter in the first week of March and it was determined that the clinic had been involved in a scam.
In contrast to other security breaches where thieves deliberately set out to steal ePHI to commit fraud, in this case the thieves wanted the x-ray film for the silver it contained. Raleigh Ortho discovered that its X-rays had been sold on to a recycling company based in Ohio which offers a service to recycle X-ray films.
It is understood that the unspecified company used by the hospital obtained the X-rays fraudulently with a view to selling the silver. X-ray films contain approximately 2% silver and thieves are able to sell the metal for as much as $24.50 per ounce according to the News & Observer.
This is not the first time a healthcare company has been scammed into giving thieves valuable X-rays. In 2012, police arrested two men from South Carolina who had managed to obtain X-rays from 38 healthcare facilities by posing as employees of a recycling company.
Raleigh Orthopedic Clinic has confirmed that while it believes the X-rays were taken for their silver content and the X-rays have now been destroyed, patients should be vigilant and review their credit card and bank accounts closely over the next few months in case the thieves also copied the data.
The X-rays included PHI of 17,000 patients, although the information was limited to full names, dates of birth and any medical problems shown by the x-ray films. The clinic is in the process of contacting those affected to alert them about the security breach in accordance with HIPAA breach notification rules.