- A California healthcare organization recently reported two separate healthcare data breaches that potentially exposed patients’ PHI.
Huntington Medical Research Institutes (HMRI) announced on October 6, 2015 that some “small glass laboratory slides and paper records were disposed of in a way that did not conform to our policies.” HMRI said that it first became aware of the incident on August 6, 2015, and that some of the items may have been improperly disposed up to two weeks before that discovery. The statement did not say how many individuals were possibly affected by the improper disposal.
Potentially exposed information includes patient names, dates of birth, clinical information such as diagnosis, treatment, tissue sources, specimen information, specific tests ordered, and referring physician information. Some billing information may also have been included, according to HMRI. However, Social Security numbers and financial information were not included in the slides and paper records.
“HMRI is diligently following up on this incident and taking reasonable actions to prevent similar incidents in the future,” HMRI explained in a statement on its website, adding that there is no reason for patients to take any action. “Among other actions, HMRI is reinforcing the training of staff who have access to patient health information, and strengthening data security.”
The second healthcare data breach was reported on October 20, 2015 and happened when a former HMRI employee potentially took some ePHI when the employee left HMRI on July 31, 2015. The research institute said that it learned about the incident on August 20, 2015.
The HMRI statement on its website did not say what form the ePHI was in, but according to the Office for Civil Rights (OCR) data breach reporting tool, it was a laptop or other portable device. The OCR report also states that the October 20 incident potentially affected 4,300 individuals.
HMRI explains that once again Social Security numbers and other financial information were not exposed. However, patient names, some demographic information such as date of birth, clinical information such as diagnosis, treatment, tissue specimen source, other specimen information, and specific tests ordered were all included. Moreover, referring physician information and some billing information were also potentially exposed.
HMRI added that there is no action that patients need to take, and that it once again plans to reinforce staff training for employees to have access to PHI and also strengthen the facility’s data security.
Unfortunately, this is not the only recent incident where an employee took patient information after leaving a healthcare organization. Last month, HealthITSecurity.com reported on an incident at Baptist Health and Arkansas Health Group.
In that case, former employees downloaded patient information to take with them to their new employer, Bray Family Health. Baptist Health reported that this action was done without its permission and that it was in violation of its policies.
Potentially exposed information included patient names, addresses, telephone numbers, dates of birth, gender, race, ethnicity, rendering provider, referring provider, and the dates the patients were last seen by a Baptist Health provider. Social Security numbers, billing information, treatment information, and health insurance information were not included, according to Baptist Health.
“As a health care organization, protecting your privacy is among our highest priorities,” Baptist Health Privacy Officer Dana H. Williams, MSHI, RHIA, CHC, CHP said in a statement. “On behalf of Baptist Health, I sincerely apologize for this incident.”