25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals

Posted By on Feb 20, 2017

Three healthcare organizations have recently reported security breaches involving the theft/exposure of physical protected health information. While it is currently unclear exactly how many healthcare patients have been impacted, at least 4,100 individuals are known to have been affected. According to police reports, the total could be as high as 8,000 individuals.

The largest confirmed breach has impacted 2,953 employees and residents of Catalina Post-Acute and Rehabilitation of Tucson, AZ.

The nursing home and rehabilitation center discovered that documents containing the sensitive information of residents and employees had been left unattended and unprotected in a location accessible by the public. A range of sensitive information was detailed in the documents including names, demographic information, Social Security numbers and medical diagnoses.

An internal investigation of the incident was conducted to determine how the information was exposed and the potential for that information to have been inappropriately accessed. No evidence was uncovered to suggest any information had been used inappropriately, although the possibility that PHI was disclosed to unauthorized individuals could not be ruled out.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

As a result of the potential privacy breach, Catalina Post-Acute and Rehabilitation has reviewed and reinforced its protocols relating to the storage of physical PHI of residents and employee data to prevent future breaches of this nature from occurring. All affected individuals have now been contacted in accordance with HIPAA Rules.

Storage Unit Break in Impacts Patients of Two Healthcare Organizations

A break-in at a Zanesville, OH storage facility used by multiple healthcare organizations has resulted in the theft of highly sensitive patient health information.

Thieves targeted the Brandywine Lock-N-Stock in Zanesville on December 12, 2016 and broke into 9 storage units. The units were used to keep old patient records, many boxes of which were taken by the thieves.

The units raided by the thieves were rented by Genesis HealthCare/Genesis Credit Union, Dr. Rice of Vision Source, and Capital Prosthetic & Orthotic Center, Inc. Genesis HealthCare and Genesis Credit Union have said that no patients were impacted by the break-in, although several boxes of files were taken from the Vision Care and Capital Prosthetic-rented units.

Capital Prosthetic & Orthotic Center, Inc., said 15 boxes of files were taken from its storage unit, and Vision Care said seven boxes of files were taken.

According to a breach notice issued by Capital Prosthetic, the stored documents contained a range of sensitive information of former patients, including names, addresses, birth dates, medical diagnoses, treatment information, health insurance information and Social Security numbers. Individual impacted by the incident had received medical services at Capital Prosthetic between 2008 and 2012. A statement released by Capital Prosthetic indicates 1,134 former patients had their medical records stolen.

The files taken from the Vision Care unit contained names, Social Security numbers and limited health information. While a substitute breach notice has been uploaded to the Vision Care website, no mention has been made about the number of individuals impacted.

The Zanesville Police Department was notified of the break-in and nine days later some boxes of medical files were recovered. Zanesville Police Department has also identified suspects believed to be responsible for the theft, although no charges against those individuals have been filed as of yet.

According to the Zanesville Times Recorder, detectives estimate that around 3,000 to 5,000 medical files have been recovered. All files relating to Capital Prosthetic patients are believed to have been recovered, according the company’s attorney Cliff Mull. Vision Care also claims that all seven boxes of stolen records have now been recovered and secured.

Both companies say no evidence has been uncovered to suggest that any of the data in the files have been used inappropriately.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist