HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Staff Error Exposes 33K HIPAA Records at St. Joseph Health

Even with the best defenses in place, HIPAA violations can occur, as the Santa Rosa Memorial Hospital in Northern California recently discovered. The hospital, operated by the St. Joseph Health system, recently reported that an error made by a member of staff at the hospital resulted in the data of 33,702 patients being obtained by a thief.

The theft occurred during a burglary at the hospital’s Redwood Regional Medical Group offices. The facilities were broken into and the thief – or thieves – managed to find a thumb drive on which the unencrypted records of almost 34,000 patients were being temporarily stored.

The unencrypted thumb drive had been put in an unlocked staff locker overnight. In the morning, when the break in was discovered, the member of staff concerned realized that the thumb drive was missing. The theft was reported to law enforcement officers, although the perpetrators have not been identified and the thumb drive has not been recovered, although the investigation is continuing.

The thumb drive was being used to temporarily store backed up data from the radiology department while the hospital implemented a new electronic medical record system. The data stored on the thumb drive included personal identifiers such as names, addresses, gender, dates of birth, appointment and treatment dates and times, the body part x-rayed, the name of the radiographer who performed the diagnostic service and the level of radiation the patient was subjected to.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Patients who visited the hospital for diagnostic imaging services between February 2, 2009 and May 13, 2014 are likely to have had their data compromised. The hospital confirmed that other medical records, Social Security numbers, insurance details and financial information were not exposed in the incident.

The hospital does not believe the risk of identity theft to be high, nor does it believe that any of the data has been used inappropriately, but as a precaution all affected individuals will be offered 12 months of credit protection services without charge.

In response to the HIPAA breach the hospital released a statement to reassure patients. The statement read “We take our obligation to protect patients’ privacy very seriously, and apologize for any concerns or inconvenience to patients and their families that this causes.” The president of St. Joseph Health in Sonoma County, Todd Salnas also said that “Following this burglary, we immediately heightened security measures and training at our new Sotoyome Drive facility, and are committed to preventing such an intrusion from happening again.”

While the statement will reassure some patients, those who have been using the hospital’s medical services for some time may remember that this is not the first time the healthcare provider has suffered a HIPAA breach. In 2013, the theft of an unencrypted electronic device exposed the data of 1,000 St Joseph Health patients and in 2012, the theft of another unencrypted device resulted in 31,800 confidential patient records being compromised.

A 2010 burglary at the offices of St. Joseph Heritage Healthcare also resulted in 22 computers being stolen along with the data of some 22,000 patients. The hospital system may be “committed to preventing such an intrusion from happening again”, but many will feel that action should have been taken prior to the latest incident to secure data; given the history of HIPAA breaches at SJH.

Had the healthcare provider taken the decision to encrypt data after any of the previous breaches, the latest incident could have been avoided. The thumb drive may still have been stolen, but if the data had been encrypted there would be no HIPPA breach. While the Office for Civil Rights has not been fining every violator of HIPAA Rules, repeat offenders are likely to attract the department’s attention and in such cases financial penalties often follow. These can be as high as $1.5 million per violation.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.