Share this article on:
An Orlando Health hospital has sent breach notification letters to 68 patients after a document containing their Protected Health Information (PHI) was found “in a neighborhood driveway”. The letters were sent “out of an abundance of caution”, although potentially that information could have been read by an unauthorized individual.
According to a WFTV news report, Channel 9 was contacted by a man after his son received a breach notification letter in the post telling him that his confidential health information may have been exposed in a security incident, which prompted reporters to investigate.
John Henderson told reporters that his son was sent a letter saying that a patient list was discovered in a driveway which was found to contain patient names, medical record numbers, account numbers and medical diagnoses, although no insurance information, financial details or Social Security numbers were included on the list. He said he “can’t believe Orlando Health is this irresponsible.”
Hospitals must take great care to ensure that patient health information is properly protected, although even when technical, physical and administrative controls are put in place to protect data – as required by the HIPAA Security Rule – accidental disclosures of PHI can still occur as a result of human error.
The breach notification letters sent by the hospital explain that the breach was caused when an employee took information out of the hospital by accident. The paper file containing the PHI and names of patients “possibly fell out of the employees car”. Reporters attempted to contact the hospital for a statement to find out whether it was permitted for employees to take confidential healthcare data out of the hospital and how many people were affected, with the Orlando Health issuing a statement on the incident this Wednesday.
Orlando Health told WFTV that the incident was thoroughly investigated as soon as it was discovered and the hospital determined the security breach to be an isolated incident. No evidence of any malicious intent was discovered and no further risk is believed to exist. The HIPAA breach was determined to have been purely accidental.
The statement also said, “We have a number of policies in place to ensure the security and privacy of all protected health information, and we continually evaluate and modify these policies to protect our patients.”