HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Orlando Health Notifies 68 After PHI Found in Neighborhood Driveway

An Orlando Health hospital has sent breach notification letters to 68 patients after a document containing their Protected Health Information (PHI) was found “in a neighborhood driveway”. The letters were sent “out of an abundance of caution”, although potentially that information could have been read by an unauthorized individual.

According to a WFTV news report, Channel 9 was contacted by a man after his son received a breach notification letter in the post telling him that his confidential health information may have been exposed in a security incident, which prompted reporters to investigate.

John Henderson told reporters that his son was sent a letter saying that a patient list was discovered in a driveway which was found to contain patient names, medical record numbers, account numbers and medical diagnoses, although no insurance information, financial details or Social Security numbers were included on the list. He said he “can’t believe Orlando Health is this irresponsible.”

Hospitals must take great care to ensure that patient health information is properly protected, although even when technical, physical and administrative controls are put in place to protect data – as required by the HIPAA Security Rule – accidental disclosures of PHI can still occur as a result of human error.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach notification letters sent by the hospital explain that the breach was caused when an employee took information out of the hospital by accident. The paper file containing the PHI and names of patients “possibly fell out of the employees car”. Reporters attempted to contact the hospital for a statement to find out whether it was permitted for employees to take confidential healthcare data out of the hospital and how many people were affected, with the Orlando Health issuing a statement on the incident this Wednesday.

Orlando Health told WFTV that the incident was thoroughly investigated as soon as it was discovered and the hospital determined the security breach to be an isolated incident. No evidence of any malicious intent was discovered and no further risk is believed to exist. The HIPAA breach was determined to have been purely accidental.

The statement also said, “We have a number of policies in place to ensure the security and privacy of all protected health information, and we continually evaluate and modify these policies to protect our patients.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.