Huntington Medical Research Institutes Discovers Two HIPAA Breaches
Nonprofit biomedical research company Huntington Medical Research Institutes (HMRI) has announced two HIPAA breaches in the space of a month: One involving the improper disposal of records, the other an alleged theft of patient data by a former employee.
Insecure Disposal of Laboratory Slides and Medical Files Discovered
On August 6, 2015, HMRI discovered paper records and glass laboratory microscope slides had been disposed of in a way that did not comply with HIPAA regulations. The incident is believed to have occurred at some point in the two weeks prior to HMRI becoming aware of the HIPAA breach.
The incident resulted in sensitive material potentially being exposed including some diagnosis and treatment data, the source of the tissue being tested, specimen information, and details of the tests that had been ordered. The name of the referring physician, patient names, dates of birth, and potentially other demographic information was also contained in physical files. No Social Security numbers, credit card details or insurance information was exposed, although some patients’ billing information was potentially also included in the files. Patients are not believed to be at risk of harm or loss as a result of the breach.
Alleged Theft of Patient Data by Former Employee
The second incident was discovered two weeks later to the day. HMRI has not confirmed that the employee in question definitely took some Protected Health Information of patients, although the company does believe this to be the case. The exact same data types were exposed: patient names, dates of birth, demographic data, diagnosis and treatment information, specimen information, tissue source, tests ordered, and the referring physician’s name.
No Social Security numbers or credit card details were exposed, although similarly, some billing information was potentially taken. HMRI learned of this incident on August 20, 2015, although the employee left the company on July 31.
There is no indication as to why the data was taken, although patients are not believed to be at risk of identity theft or fraud. Oftentimes when breaches such as this occur, patients may subsequently receive letters, emails, or even phone calls from another healthcare company. However, HMRI has not confirmed whether data was taken to the individual’s new employer.
In response to both data breaches, HMRI will be conducting further staff training to reinforce HIPAA privacy and security rules, as well as company policies concerning patient privacy. Additional data security measures will also be implemented to prevent further privacy incidents from occurring in the future.
The breach notices issued by HMRI do not indicate how many individuals were affected by either breach, although the Department of Health and Human Services’ Office for Civil Rights has been notified of a single breach involving 4,300 patient records. This has been listed as involving a laptop computer and other portable electronic device. The breach report presumably relates to the second data breach suffered as there is no mention of paper files being exposed.
Both breach notices were posted on the company website exactly two months after the breaches were discovered. The investigation into the first breach has now been completed, although the investigation into the data theft is continuing and attempts are still being made to recover the stolen data.