[BreachExchange] 300, 000 Records Found at Hospital Slated for Demolition

[Destry Winant]

https://www.careersinfosecurity.com/300000-records-found-at-hospital-slated-for-demolition-a-11293

Documents containing information on more than 300,000 patients were
recently discovered on the former campus of a Missouri hospital that's
being prepared for demolition four years after the hospital moved to
new facilities. The incident illustrates the need to track all paper
records that contain protected health information.

In statement posted on its website, SSM Health St. Mary's Hospital in
Jefferson City, Mo., says that on June 1, it was notified that
"documents and other materials containing patient information were
discovered in isolated locations at the former hospital campus."

The hospital says it has confirmed that all formal medical records
were "safely and securely transferred" prior to the move to the new
facility on Nov. 16, 2014. The paper documents left behind at the old
facility included administrative and operational documents for various
departments, the hospital notes.

"The documents included demographic, financial, and/or clinical data,
but in most instances involved very limited information such as name
or medical record number alone," according to the hospital's
statement. A comprehensive review of the recovered information is
underway, and the hospital has also retained a document services firm
to assist in cataloging all recovered documents."

SSM Health notes that although security safeguards and deterrents were
in place to protect the shuttered facility, "the investigation has
confirmed that the safeguards were not adequate to ensure the security
of the patient information and other materials with absolute
confidence between the date of the move until the date that the
hospital was notified on June 1."

The organization also notes that while it believes that the incident
"does not represent a significant risk to patients, it does constitute
a privacy breach under HIPAA."

A SSM Health spokeswoman tells Information Security Media Group: "The
documents were found in more than one location after a member of the
community brought it to our attention. The old SSM Health St. Mary's
campus was vacated in November 2014."

She adds: "SSM Health St. Mary's Hospital is in the process of
reviewing and revising its policies and procedures regarding proper
record storage, retention and destruction, as necessary. We are
working with affected individuals and offering ID protection when
appropriate."

SSM Health is a Catholic, not-for-profit integrated health system with
more than 40,000 employees and 10,000 providers, according to its
website.

One of Largest 2018 Breaches

The SSM Health incident is listed on the Department of Health and
Human Services' HIPAA Breach Reporting Tool website as an improper
disposal breach impacting 301,000 individuals.

The incident is the fourth largest breach posted so far this year on
the HHS breach tally website. The site, also known as the "wall of
shame," lists breaches impacting 500 or more individuals since
September 2009.

Similar Incidents

Some similar improper disposal incidents have resulted in enforcement
actions by federal regulators.

For instance, in February, the HHS Office for Civil Rights, which
enforces HIPAA, entered a $100,000 settlement with Filefax, a
now-defunct medical records storage company at the center of a 2015
"dumpster diver" breach affecting more than 2,000 patients.

In that case, patient records were found in an unlocked vehicle in
Filefax's parking lot, and hundreds of pounds of paper medical records
that should have been shredded or destroyed before disposal were
discovered unprotected in a dumpster outside the Filefax building.

And in 2014, OCR signed an $800,000 settlement with Parkview Health
System as a result of an incident in June 2009. In that breach, the
paper medical records of 5,000 to 8,000 patients were left unattended
in the driveway outside the home of a retired physician.

In some other cases, the Federal Trade Commission as well as OCR took
action in the aftermath of breaches involving improper disposal of
patient information.

For example, the two agencies reached a 2010 settlement with Rite Aid
Corp., which agreed to pay a $1 million fine and take corrective
action after some of its stores improperly disposed of prescription
information in dumpsters.

Also, a $2.25 million settlement was reached in a similar case against
CVS Caremark in February 2009.

Precautions When Moving

Kate Borten, president of security and privacy consultancy The
Marblehead Group, says the SSM Health incident is a reminder that an
organization's "security, privacy and/or compliance officer should be
involved with facility moves and changes" to ensure sensitive records
are not left behind.

"While paper medical records are typically treated with care, other
documents may be overlooked and left exposed, as in this case," she
notes.

Privacy attorney David Holtzman, vice president of compliance at
security consultancy CynergisTek, offers more advice: "Even with the
widespread adoption of electronic health records, hospitals, provider
practices and health plans are printing millions of pages of paper
every month. A critical step for safeguarding PHI is to have a
document management process that tracks, manages and stores PHI in all
forms."

Organizations should develop and implement policies and procedures
that create accountability for identifying what documents are being
created, how they are being maintained and monitoring their secure
storage or destruction, Holtzman stresses. They "should take their
cue" from the HIPAA Privacy Rule requirements to develop and apply
policies and procedures for having administrative, physical and
technical safeguards to protect the confidentiality of PHI through its
final disposition, he adds.

"Make it a management imperative," Holtzman suggests. "Create
workforce accountability for proper handling of PHI in any form.
Identify what are secure and proper methods of destruction and
disposal of electronic media, hardware and paper documents. Train your
workforce on those methods for secure destruction and disposal of
PHI."

Disposal of Electronic PHI

Addressing another PHI disposal issue, OCR's latest cyber alert
enewsletter, issued Tuesday, focuses on the risks posed by improper
disposal of electronic devices containing PHI.

"Devices or media that need to be replaced should be decommissioned
and disposed of securely to ensure that either the devices or media
are destroyed or any confidential or sensitive information stored on
such devices or media has been removed," OCR writes. "Improper
disposal of electronic devices and media puts the information stored
on such devices and media at risk for a potential breach" involving
PHI and other sensitive data, the agency adds.