HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals

Three healthcare organizations have recently reported security breaches involving the theft/exposure of physical protected health information. While it is currently unclear exactly how many healthcare patients have been impacted, at least 4,100 individuals are known to have been affected. According to police reports, the total could be as high as 8,000 individuals.

The largest confirmed breach has impacted 2,953 employees and residents of Catalina Post-Acute and Rehabilitation of Tucson, AZ.

The nursing home and rehabilitation center discovered that documents containing the sensitive information of residents and employees had been left unattended and unprotected in a location accessible by the public. A range of sensitive information was detailed in the documents including names, demographic information, Social Security numbers and medical diagnoses.

An internal investigation of the incident was conducted to determine how the information was exposed and the potential for that information to have been inappropriately accessed. No evidence was uncovered to suggest any information had been used inappropriately, although the possibility that PHI was disclosed to unauthorized individuals could not be ruled out.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

As a result of the potential privacy breach, Catalina Post-Acute and Rehabilitation has reviewed and reinforced its protocols relating to the storage of physical PHI of residents and employee data to prevent future breaches of this nature from occurring. All affected individuals have now been contacted in accordance with HIPAA Rules.

Storage Unit Break in Impacts Patients of Two Healthcare Organizations

A break-in at a Zanesville, OH storage facility used by multiple healthcare organizations has resulted in the theft of highly sensitive patient health information.

Thieves targeted the Brandywine Lock-N-Stock in Zanesville on December 12, 2016 and broke into 9 storage units. The units were used to keep old patient records, many boxes of which were taken by the thieves.

The units raided by the thieves were rented by Genesis HealthCare/Genesis Credit Union, Dr. Rice of Vision Source, and Capital Prosthetic & Orthotic Center, Inc. Genesis HealthCare and Genesis Credit Union have said that no patients were impacted by the break-in, although several boxes of files were taken from the Vision Care and Capital Prosthetic-rented units.

Capital Prosthetic & Orthotic Center, Inc., said 15 boxes of files were taken from its storage unit, and Vision Care said seven boxes of files were taken.

According to a breach notice issued by Capital Prosthetic, the stored documents contained a range of sensitive information of former patients, including names, addresses, birth dates, medical diagnoses, treatment information, health insurance information and Social Security numbers. Individual impacted by the incident had received medical services at Capital Prosthetic between 2008 and 2012. A statement released by Capital Prosthetic indicates 1,134 former patients had their medical records stolen.

The files taken from the Vision Care unit contained names, Social Security numbers and limited health information. While a substitute breach notice has been uploaded to the Vision Care website, no mention has been made about the number of individuals impacted.

The Zanesville Police Department was notified of the break-in and nine days later some boxes of medical files were recovered. Zanesville Police Department has also identified suspects believed to be responsible for the theft, although no charges against those individuals have been filed as of yet.

According to the Zanesville Times Recorder, detectives estimate that around 3,000 to 5,000 medical files have been recovered. All files relating to Capital Prosthetic patients are believed to have been recovered, according the company’s attorney Cliff Mull. Vision Care also claims that all seven boxes of stolen records have now been recovered and secured.

Both companies say no evidence has been uncovered to suggest that any of the data in the files have been used inappropriately.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.