Prima Care Discovers Improper Dumping of PHI: 1,651 Patients Affected

This week another case of improper dumping of PHI has been discovered, with an employee of a New England healthcare provider allegedly dumping files that were no longer needed.

Employees are the Weakest Link


Healthcare employees are the weakest link in security defenses. Being human, they are prone to make errors from time to time. A mistyped email address can be all it takes to expose thousands of patient health records, as has occurred on numerous occasions already this year.

Improper Dumping of PHI Discovered


However this week, a (now former) employee of a healthcare provider has exposed patient records in a rather atypical way. The individual in question was an employee of Prima CARE, P.C, a healthcare provider based in New England. That individual breached HIPAA and hospital rules by maintaining patient records without the knowledge of his or her employer, and apparently dumped the files when they were no longer required.

Prima CARE was alerted to the breach when binders containing a wide variety of patient data was discovered in some bushes off Jefferson Street in Fall River, close to a parking lot at Dave’s Beach. The files contained notes and data on 1,651 patients of the multi-specialty hospital group, who had received treatment at Prima CARE’s facilities between 2007 and 2012.

According to a breach notice posted on the Prima CARE website, the employee “had failed to appropriately file or discard the documents following their use,” the notice also confirmed that “this was done without Prima CARE’s knowledge or consent, and [was] in violation of our practices.” The company also confirmed that it is now in possession of the binders and patient data.

Insurance Information Exposed, but only 1 Social Security Number


The data in the binders included patient names, phone numbers, home addresses, dates of birth, hospital account numbers, medical record numbers, insurance numbers, dates treatment had been provided, and a limited amount of clinical data, although with the exception of one individual, no Social Security numbers were exposed.

The improper dumping of PHI was discovered on May 25, 2015, with the matter reported to the healthcare provider 9 days later on June 4, 2015. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on July 29. The location of the dumped files is peculiar, as is the delay in notifying the healthcare provider that they had been found.

Patients Should Exercise Caution and Monitor Credit and EoB Statements


What is clear is the information contained in the files was potentially viewed by the person who discovered them, who could have copied the data during the 9 days they were in his or her possession. Patients affected by the data breach should therefore exercise caution, should monitor Explanation of Benefits statements for any suspicious activity, and keep a close eye on their credit. The latter can be achieved by contacting each of the credit monitoring bureaus – Equifax, Experian, and TransUnion – to obtain a free credit report. All Americans are permitted to obtain one report from each of the credit bureaus once every 12 months, without charge.

The files did not contain a complete set of data for every patient; various data elements on each patient were present in the files. The notice states that Prima CARE has offered “complimentary credit monitoring services where appropriate,” depending on the level of risk each patient faces.

Incidents such as this are difficult to prevent, although training on data privacy, security can help to reduce the risk, as can explaining the possible penalties for violating HIPAA Rules. Bulletins, or ongoing training should also be considered to ensure that privacy and data security issues are kept fresh in the mind.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.