- Healthcare providers in Ohio and Washington are working through separate potential health data breaches following instances of a missing notebook and an unlocked storage center, respectively. Incidents like these further show why healthcare organizations need to have comprehensive security measures in place and ensure that employees at all levels are properly trained in how to handle patient information.
PHI of 1,400 patients in missing employee notebook
The PHI of 1,426 Cancer Care Northwest (CCNW) is potentially at risk after the healthcare provider realized that a notebook containing the information was missing. CCNW became aware of the missing item on June 19, 2015, according to a company statement. Information in the notebook included patient names, dates of birth, patient ID numbers, diagnoses, and some treatment information.
CCNW explained that affected patients will receive a data breach notification letter via first class mail. While the statement did not specify if the provider would offer identity or credit protection services, CCNW did recommend that affected patients contact credit bureaus and place Fraud Alerts on their credit report.
CCNW stated that it would take extra measures to properly train employees in how to handle PHI:
“Cancer Care Northwest takes very seriously our role of safeguarding your personal information. We have therefore required all of our employees to receive additional training on the proper handling of protected health information. We are also reminding our employees that all protected health information is to be kept only in our electronic medical record and have asked that they not use personal notes or notebooks to record patient information.”
The CCNW statement did not explain how many patients were affected, but the Department of Health and Human Services (HHS) data breach reporting database listed 1,426 individuals affected. HHS also showed that it received notice of the health data breach on August 17, 2015.
Ohio provider reports missing padlock at rented POD
Ohio-based Endocrinology Associates reported a potential data security incident after it realized that a POD containing patient information was missing its padlock.
The provider is currently renovating its location, and is storing patient charts in a rented POD on-site, according to a company statement. Endocrinology Associates realized on the mornings of June 15 and June 19 that the POD padlock had been removed. While an inventory search proved that no patient information was missing, the provider explained that it “cannot confirm with certainty” that no charts were opened, reviewed, or copied.
“As for the content of the physical charts, we do not maintain financial information of our patients in the charts,” the statement read. “However, some charts did contain social security numbers. To date, we have not received any indication, notice, or response from any patient that their personal health information has been stolen or compromised in any fashion.”
Endocrinology Associates added that “enhanced security measures” have been implemented to prevent the situation from taking place again. Affected patients will also receive data breach notification letters though the mail.
Notification of the incident was submitted to HHS on August 14, according to HHS’ site, and 1,400 individuals were affected.