- Minnesota-based Allina Health recently announced that paper documents were emptied into the trash before the documents could be securely shredded.
The documents were from a recycling bin in the physician’s private office, and were to be shredded at the Minneapolis Heart Institute at Abbott Northwestern Hospital.
On January 20, 2017, Allina Health became aware of the incident and launched an investigation. Allina Health explained that the documents may have contained patient information including names, medical record numbers, addresses, and insurance information.
According to the OCR data breach reporting tool, 776 patients were potentially impacted by the incident.
Because some patients use their Social Security numbers as identification numbers on insurance documents, there is a chance these patients Social Security numbers were exposed, Allina Health stated.
The healthcare system added that there is no evidence any patient information was viewed or misused.
Allina Health is notifying potentially affected patients of the incident explaining what occurred and offering one year of free credit monitoring and identity protection services.
“Allina Health has simplified its systemwide process to require all paper and documents be placed into secured or locked shredding bins, whether or not the paper contains patient information,” the statement explained. “All paper is shredded and then recycled. The enhanced process also removes all desk-side recycling bins to prevent paper from being placed into recycling without being shredded first.”
Chadron Community Hospital employee illegally accesses patient EHRs
Chadron Community Hospital and Health Services found evidence a staff member accessed patient medical records without proper authorization.
On January 3, 2017, the hospital became aware of the incident and immediately launched an investigation. Chadron confirmed that between September 2011 and November 2016 the employee had accessed patient EHRs to view demographic information including names, addresses, dates of birth, clinical information, and insurance information.
The incident impacted 702 patients, according to the OCR data breach reporting tool.
Chadron maintained there is no evidence suggesting the former employee viewed any patient Social Security numbers.
Chadron has issued advisory notices to all potentially impacted patients informing them of the incident.
“Whenever personal information is accessed without authorization, it is advisable that you take measures to help prevent and detect any potential misuse of your information,” Chadron advised in its statement. “We encourage patients who believe they might have been affected to closely monitor financial accounts for unusual activity and consider requesting a free credit report from one of three major credit bureaus.”
Oregon Medical Center inadvertently exposes patient information
Orange County Global Medical Center recently informed some patients of an incident in which an employee emailed an Orange County Global statistical report to an unintended recipient.
The organization discovered the incident the same day and contacted the recipient instructing him to immediately and permanently delete the information from his inbox.
The report contained patient treatment and diagnoses information, medical record numbers, dates of birth, treatment dates, and names.
Orange County Global asserted in its notification letter that patient Social Security numbers, driver’s license numbers, health insurance information, or financial account information were not exposed in the incident.
Orange County Global has not released information regarding how many patients were impacted in the incident.
Besides informing the recipient to delete the information, the healthcare organization has also provided concerned patients with free access to identity monitoring and restoration services for one year.
“We take this matter, and the security and privacy of your information, very seriously,” explained the letter, a copy of which was posted on the California Office of Attorney General. “Since the incident occurred, and in addition to instructing the inadvertent recipient to delete the information, we have implemented additional protocols for sending information, reviewed our policies and procedures, and provided additional training to staff.”
Sharp Healthcare PHI reportedly stolen
On February 6, 2017, Sharp Healthcare discovered a computer and external storage device were missing from a locked cabinet in a restricted patient care area at the Sharp Memorial Outpatient Pavilion in San Diego.
According to Times of San Diego report, the PHI of over 750 outpatients at the facility may have been accessed as a result of the incident. The devices are believed to have been stolen.
“The devices were used to process and store patient-specific wellness screening information for outpatients undergoing blood pressure and/or cardiac health studies,” Sharp Healthcare said in a statement. “Each study record may have included patient name, date of birth, age, current medications, family history and a summary of the studies performed.”
Sharp mailed letters notifying affected patients of the incident, and added that it is conducting a security practices review.