HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texas Health and Human Services Commission Notifies 600 of PHI Exposure

A storage contractor has informed the Texas Health and Human Services Commission (HHSC) that 15 storage boxes have been discovered to be missing. The boxes were stored at three Iron Mountain facilities in Dallas, Fort Worth, and Irving.

The boxes contained files relating to individuals who had applied to HHSC for medical assistance between January 1, 2008 and August 31, 2009. The files contained names, addresses, dates of birth, Social Security numbers, Social Security claim numbers, bank account numbers, Medicaid/individual numbers, and medical record numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 600 individuals were affected.

Iron Mountain was contracted by HHSC to store boxes of client files prior to the records being permanently destroyed. HHSC is now conducting an investigation into Iron Mountain’s handling of the files and to determine how the boxes were lost. Once the investigation has concluded, HHSC will revise its policies and procedures to reduce the probability of similar incidents occurring in the future.

When boxes of old files are lost or stolen it can be difficult to identify the individuals affected. When records do exist, contact information may be out of date making it difficult to alert patients. In this case, HHSC has posted a breach notice on its website to advise individuals of the loss of their files. Individuals who believe that their case information has been lost have been offered a year of credit monitoring services without charge.

Please see the HIPAA Journal Privacy Policy

This is not the first time that Iron Mountain has been implicated in a breach of protected health information. In 2013, employees of Iron Mountain were suspected of stealing x-ray films to recover the silver. 742 boxes of x-rays were discovered to be missing and two employees were implicated. In total 49,714 patients of Orthopaedic Specialty Institute Medical Group were affected.

In the same year, a similar breach was reported which impacted 10,000 patients of Long Beach Internal Medical Group and the Hand Care Center and the Shoulder and Elbow Institute also reported a breach involving the theft of x-ray jackets from Iron Mountain Record Management facilities. These thefts were attributed to rogue employees at the firm.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.