Iron Mountain X-Ray Theft Causes HIPAA Breach
The Orthopaedic Specialty Institute Medical Group has recently reported that one of its Business Associates advised it of a theft from its facilities in the Inland Empire in which thieves managed to obtain 742 boxes of X-ray prints of its patients.
The x-rays were being stored by Iron Mountain Record Management and were from old patient files from 10-15 years previously. The medical data exposed is confined to any information shown in the x-ray such as the body part and medical issue. Patient names, dates of birth and medical record numbers were also printed on the x-ray jackets, although there was no financial information or Social Security numbers present.
Under HIPAA Privacy and Security Rules, a data breach involving Protected Health Information along with personal identifiers that can tie that information to a particular patient must be reported to the Department of Health and Human Services’ Office for Civil Rights.
The organization affected must also send out breach notification letters to any individual whose information was exposed in the incident if they perceive there to be a risk of that information being used, viewed or accessed by unauthorized individuals. Orthopaedic Specialty Institute Medical Group posted a notice on its website alerting patients to the breach although it is not clear whether breach notification letters were sent.
The supposed theft of the files was reported to the police who conducted an investigation and the officers concluded that two employees of the Iron Mountain facilities were most likely responsible for the theft. They are believed to have taken the x-rays and sold them to a recycling center.
X-rays are valuable because they contain silver and this can be recycled. 1.5% of the weight of an x-ray consists of silver and 742 boxes therefore contain several thousand dollars worth of the precious metal.
The theft of x-rays to obtain their silver is well known to law enforcement officers. It is unlikely that the files were taken for any data they contained and the risk to individuals is therefore perceived to be low. The breach notification on the OSIMG website did not indicate how many individuals had been affected, although the OCR breach portal report shows that the files are understood to contain x-rays of 49,714 patients.