HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hospital X-Ray Scam Provides Thieves with PHI of 17K Patients

When the Raleigh Orthopedic Clinic arranged for its X-ray films to be modernized and transferred to digital media, the healthcare organization naturally sought external assistance. A third party vendor was located that could offer the service and the X-ray films were sent for conversion.

The contract was arranged in January of this year and the films were dispatched; however when the clinic failed to receive the electronic copies of the data suspicions were aroused. An investigation was conducted into the matter in the first week of March and it was determined that the clinic had been involved in a scam.

In contrast to other security breaches where thieves deliberately set out to steal ePHI to commit fraud, in this case the thieves wanted the x-ray film for the silver it contained. Raleigh Ortho discovered that its X-rays had been sold on to a recycling company based in Ohio which offers a service to recycle X-ray films.

It is understood that the unspecified company used by the hospital obtained the X-rays fraudulently with a view to selling the silver. X-ray films contain approximately 2% silver and thieves are able to sell the metal for as much as $24.50 per ounce according to the News & Observer.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

This is not the first time a healthcare company has been scammed into giving thieves valuable X-rays. In 2012, police arrested two men from South Carolina who had managed to obtain X-rays from 38 healthcare facilities by posing as employees of a recycling company.

Raleigh Orthopedic Clinic has confirmed that while it believes the X-rays were taken for their silver content and the X-rays have now been destroyed, patients should be vigilant and review their credit card and bank accounts closely over the next few months in case the thieves also copied the data.

The X-rays included PHI of 17,000 patients, although the information was limited to full names, dates of birth and any medical problems shown by the x-ray films. The clinic is in the process of contacting those affected to alert them about the security breach in accordance with HIPAA breach notification rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.