Urology Associates Reports 6500-Record Data Breach

Offsite storage of paper medical records may be convenient if facility space is limited; but the decision to store records offsite may prove to be a costly, as Kailspell-based healthcare provider, Urology Associates recently discovered. The company had taken advantage of a local storage facility and rented a unit to store boxes of old medical records. Unfortunately, the facility was recently burgled.

Storage Units are a Risky Place to Keep Sensitive Medical Records


Storage units are frequently burgled. The units are secured with locks; but in many cases, all that is required to access the contents is a set of heavy duty bolt cutters. Thieves have realized there are easy pickings to be had from storage units, and law enforcement has had to deal with a spate of storage unit break-ins recently. The problem is not limited to Kalispell; it is a countrywide problem.

Records Potentially Accessed, but not Stolen


Medical records are extremely valuable. Complete sets of data can fetch in the region of $60 on the black market. Clean records, such as those of children, can be even more valuable. $200 per set is not unheard of. Multiply the lowest figure by the number of records in the unit – 6,500 according to the Department of Health and Human Services’ Office for Civil Rights’ “Wall of Shame”, and those records were likely to be some of the most valuable items in the entire facility.

Fortunately, the perpetrators didn’t know that. The boxes inside the unit were turned over by the thieves in an effort to find something of value, but they couldn’t see the wood for all the trees, and left the records in the unit.

The break-in occurred on or just before May 25, 2015. Urology Associates was notified of the data breach on May 26, when the storage facility was opened for business. The padlock had not been tampered with, instead the thieves cut the metal around the lock to gain access to the contents. Many other units had been broken into in a similar fashion in the same incident.

No Records Stolen; Same Breach Cost as if They Were


Urology Associates Practice Manager, Tanna Darling, alerted local news outlet, The Daily Interlake, about the break-in. She told a reporter, “Everything was in disarray, but it honestly didn’t look like they took anything,”

However, even though no records appear to have been taken, a full breach response was still required. She said, “We sent out a lot of letters,” subsequently expanding that by saying “Over a few thousand letters have been sent out.” She also confirmed the potential victims are being offered a year of credit monitoring services without charge, in the unlikely event that their data was copied or removed.

It has been hypothesized that the theft was most likely committed by someone who had access to the facility; another client of the rental company. The complex was gated, and access was gained with a key.

In this case, little harm appears to have been caused. Had the thieves been a little wiser though, it may have been a different story.

A report has just been made to the OCR and patients have now been notified of the breach of their Protected Health Information, just inside the maximum deadline allowable by the HIPAA Breach Notification Rule.

HIPAA Covered entities should take note of this incident, and should ensure that if they are storing medical records offsite, appropriate security controls must be in place to protect the data, as required by the HIPAA Privacy Rule. If protections are inadequate, heavy fines may be issued.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.