HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records

St Joseph Health System in North Central Indiana is alerting patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals. The breach did not happen at St Joseph Health, but at one of its business associates.

Central Files Inc, a secure record storage facility in South Bend, IN, was contracted to securely store patient records in compliance with federal and state regulations and to destroy certain records in accordance with HIPAA Rules. Central Files Inc. has now permanently closed but was required to continue to store patient records until an alternative secure records facility could be located.

Between April 1 and April 9, 2020, several healthcare groups affiliated with St Joseph Health System were notified that confidential records containing information patient information had been dumped in a location in the South Bend area at some point prior to April 1, 2020.

The records discovered at the site were in poor condition. According to the substitute breach notification on the St Joseph Health System website, the records were “showing signs of moisture damage, mold, and rodent infestation, and damage from being mixed with trash and other debris.” Attempts were made to identify patients whose data had been exposed, but trained safety personnel determined that inspecting the majority of the records would be hazardous to health and recommended the best course of action was to arrange for the records to be securely destroyed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The records that could safely be salvaged have been recovered and St Joseph Health System has engaged a vendor to recover the remaining records from the site. That process was completed on May 20, 2020 and arrangements have been made to have those records securely and permanently destroyed.

In many cases, the records were old and contained out of date information. Some of the documentation included paper copies of medical records and billing statements that contained information such as names, contact information, Social Security numbers, dates of services, and clinical and diagnostic information. Patients have been notified about the breach and told that no evidence was found to suggest any information has been misused, although the possibility of unauthorized access could not be ruled out.

The records related to the following entities

  • Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (From 2002 to 2010) – As many as 550,000 records
  • Saint Joseph Health System (From 1999 to 2013) – up to 1,000 records
  • Allied Physicians of Michiana (From 1995 to 2007) – Up to 976 records
  • New Avenues (From June 2004 to December 2015) – Up to 500 records
  • South Bend Medical Foundation (From 2009 to 2015) – Up to 500 records
  • Michiana Hematology Oncology (From 2002 to 2004) – Up to 500 records
  • Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.