[BreachExchange] As More Health Records Go Digital, Paper Still at Risk

[Audrey McNeil]

http://www.databreachtoday.com/as-more-health-records-go-digital-paper-still-at-risk-a-9216

Radiology Regional Center recently filed a motion to dismiss a class-action
lawsuit filed against the Fort Myers, Fla.-based clinic in the wake of a
paper records breach potentially affecting more than 483,000 individuals,
alleging there's no evidence of harm caused. But experts say even if this
case is thrown out of court, the breach shows why healthcare organizations
cannot afford to neglect safeguarding paper documents as they migrate to
electronic health records and other digital systems.

"As entities continue the transition from paper to electronic records, they
should keep in mind that the sudden archiving or destruction of paper
records creates new risks," says privacy attorney Adam Greene of the law
firm Davis Wright Tremaine, who is not involved in the Florida clinic's
case. "Even with good systems in place, problems can occur ... such as
during transport or destruction."

Breach Details

The Radiology Regional Center incident, which occurred on Dec. 15, 2015,
but was reported to the Department of Health and Human Services on Feb. 12,
is the largest breach involving lost, stolen or improperly disposed paper
or film records listed on the federal "wall of shame"website since HHS'
Office for Civil Rights began keeping tally in 2009 of breaches affecting
500 or more individuals.

In an earlier statement, the clinic explained that Lee County Solid Waste
Division, the company responsible for the disposal of its patient records,
ran into trouble while it was transporting patient records to an
incinerator to be destroyed. During transport, "a small quantity of
records" were released onto a road as a result of the Lee County driver's
failure to properly secure the container door, Radiology Regional contends.
Because records for 483,000 patients were among the materials being
transported by the county waste disposal company, the practice reported
that figure to HHS in its breach report.

A class-action lawsuit filed against Radiology Regional Center in a federal
court in Florida alleges that the breach puts patients at risk of harm. In
addition to citing the risk of identity theft and credit card and income
tax fraud, the lawsuit says some of those whose records may have been lost,
including judges and police officers, run the risk of their occupations and
addresses being exposed to those who could do them harm.

In a motion filed on June 17, Radiology Regional Center seeks to dismiss
the lawsuit based on several issues. For example, it alleges that because
less than two-thirds of the proposed class of affected individuals are
Florida citizens, a court in Florida should not hear the case. It also
asserts that the plaintiffs haven't established harm, such as being victims
of identity theft or fraud linked to the incident. And it claims that the
plaintiffs' allegations of being at increased risk of future harm is too
speculative.

Representatives of Radiology Regional Center and an attorney for the
plaintiffs did not immediately respond to Information Security Media
Group's request for comment on the latest developments in the lawsuit.

No Injuries?

"The general lack of concrete injury is the primary basis on which these
[breach] lawsuits get dismissed," notes privacy attorney Kirk Nahra of the
law firm Wiley Rein, who is not involved in the case. "The courts have been
pretty firm in requiring something more than just a theoretical injury."

In the Radiology Regional Center case, there is no clear indication that
any records were even lost, Nahra says. "If some portion were lost, there
is no indication whatsoever in this case that the records were recovered by
anyone, much less by anyone who would do something wrong with any records.
So, this is a more speculative case than many others, even where those
others also get dismissed."

The Florida clinic said in its statement that as soon as it learned of the
incident, "every effort was made to retrieve the records, including a foot
search of the surrounding area by more than a dozen of our employees and
physicians. In an abundance of caution, a second search of the area was
conducted by foot on Dec. 21, 2015, and a third was conducted on Dec. 22,
2015. As a result of our numerous searches, we believe that virtually all
of the records were retrieved."

Good Reminder

The Radiology Regional Center incident "is a good reminder that paper
records still matter," Nahra says. "These kinds of incidents happen - very
sporadically - but they do happen."

Incidents involving paper records, however, may become an even bigger
problem as more entities move to electronic records and get rid of large
quantities of paper charts. So organizations need to be mindful of the
problems that can occur and take precautions, says privacy attorney David
Holtzman, vice president of compliance at the security consultancy
CynergisTek.

"The business needs for destruction [of paper records] are varied but the
processes to ensure the confidentiality of the records are strikingly
similar," he says. "Covered entities and business associates must plan
every step of the process by which the records will be collected, make an
inventory of the documents that are being sent off site, the means by which
the records will be safeguarded while being moved to the site where they
will be destroyed and documentation that the process was completed using
appropriate means to assure complete destruction."

In addition, attorney Greene suggests that "entities should check their
insurance coverage to ensure that they have adequate protection for the
unexpected. Cyber policies are often focused on computerized data, so
entities should check that they have coverage for problems involving hard
copy health information too."

Other Incidents

As of June 21, the OCR "wall of shame" breach tally shows that since
September 2009, about 25 percent of the 1,587 incidents listed on the
federal tally website have involved paper or film. Of those, nearly half
involved loss or theft, about 11 percent involved improper disposal and the
remainder involved unauthorized access/disclosure.

The incidents on the breach tally involving paper records or film affected
a combined total of about 3 million individuals, or less than 2 percent of
the nearly 159 million individuals that have been impacted by all breaches
listed.

One recent breach involving unauthorized access or disclosure of paper
records or film was reported to OCR on June 8 by retail giant Walmart. The
incident affected more than 27,000 individuals.

Walmart tells Information Security Media Group that the incident occurred
when a company that processes refund checks for Walmart and Sam's Club
pharmacy and optical center customers experienced a printing error.

"This error caused incorrect information to be printed on the letters that
accompanied the refund checks sent to customers," the retailer says in a
statement. "As a result, the mailing a customer received may have included
another individual's information, limited to name; pharmacy prescription
number or an optical order number; order date; refund amount; and city and
state of the Walmart or Sam's Club visited."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/7b9a1728/attachment.html>