- As often discussed on this site, health data breaches can stem from numerous areas. Covered entities and their business associates need to ensure they have a comprehensive data security plan, and are able to implement the necessary physical, administrative, and technical safeguards. However, accidents still happen, which is what two facilities are currently experiencing.
An office burglary and a case of improper disposal show how health data security approaches often need to be adjusted, to ensure that the same type of incident does not happen again.
Calif. physician notifies patients after office break-in
Dr. Olartino Dyoco sent data breach notification letters to patients after certain information was potentially exposed following an office break-in. Dyoco noticed on June 2, 2015, that his office had been burglarized, according to a copy of the breach notification letter. Several computers were stolen, Dyoco reported, containing information such as patient names, dates of birth, telephone numbers, insurance numbers, treatment codes, and billing information.
“The circumstances that resulted in this breach were unforeseeable, and Dr. Dyoco assures you that he has heightened procedures and safeguards to prevent a recurrence of this situation,” stated the letter, which was dated July 13, 2015. “He added levels of encryption to his computer systems, and advised his staff with regard to security training anything to avoid this situation in the future.”
The incident was reported to the Fresno, California police department, and if individuals have questions they are encouraged to contact the medical office’s attorney.
The data breach notification letter did not specify how many patients were potentially affected, or if there was some type of encryption on the stolen laptops. However, the letter did say that patients’ “security, confidentiality, integrity and privacy of patient personal information are highly valued by Dr. Dyoco.”
Medical records found in Utah dumpster
In what is unfortunately becoming an increasingly common tale, personal documents, including medical records, were found in a dumpster in Taylorsville, Utah last week. The records appear to have come from Positive Adjustments, an out-of-business drug and alcohol rehabilitation clinic, according to a Fox13 news report.
Dr. Scott Cold, DDS, told the news source that his contractor found the documents Friday morning in a dumpster being used for construction waste.
“These documents for these records were complete with patients names, addresses, phone numbers, dates of birth, Social Security numbers, court documents, treatment documents, all dumped in my dumpster illegally,” Cold said.
Other tenants in the building where Positive Adjustments was located reported that the clinic has been empty for about six months. Cold notified police after finding the documents, but law enforcement said that it would be difficult to pursue charges beyond illegal dumping.
Even when a facility changes location, it is essential that PHI security remain a top priority. While a specific disposal method is not outlined in the HIPAA Privacy and Security Rules, putting PHI - in any form - in easily accessible areas is not acceptable.
“Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps,” according to HHS. “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed.”