Patient Steals Other Patients’ Info

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=11918

Paul Smith reports on an incident at a Lancaster, Pennsylvania medical practice:

A patient at Crooked Oak Family Medicine stole a document containing
personal information about some of the practice’s other patients on
February 5, 2013.

Read more on Fox43.

A statement posted today on Lancaster General Health‘s web site says:

A Crooked Oak Family Medicine patient stole a document containing
personal information about some of the practice’s patients on Feb. 5,
2013.

The patient was at Crooked Oak, Lancaster, for an appointment and
while there, became agitated and disruptive. To calm the patient, he
was taken to the office of the practice manager. While meeting with
the practice manager, the patient grabbed a stack of papers from the
manager’s desk. He then ran out of the building before practice
personnel could stop him. LG Health Security notified Manheim Township
Police and several attempts were made to retrieve the document with
patient information from the patient. Unfortunately, the patient did
not return the document.

The document stolen included patient names, genders and dates of
birth, whether they had received certain cancer screenings such as a
mammogram, colonoscopy, etc., whether a pediatric well child-care
visit had been conducted and whether they received the pneumococcal
vaccination. The document contained no Social Security numbers, no
addresses and no credit card information.

There is no evidence that patient information has been misused.
Lancaster General Medical Group (LGMG) and its Crooked Oak practice
are reviewing its office policies and procedures to prevent a similar
incident in the future.

LGMG is offering 12 months of free, identity theft protection services
to any Crooked Oak Family Medicine patient whose information was
included in the stolen document. The services include credit
monitoring, access to fraud resolution representatives, and more.

Patient questions regarding this incident can be directed to ID
Experts at 1-866-833-7924.

This release is in accordance with the Health Information Technology
for Economic and Clinical Health (HITECH) Act. Lancaster General
Medical Group has notified its affected patients and the Department of
Health and Human Services.

It’s not clear why the patient grabbed documents and why he reportedly
wouldn’t return a document with other patients’ information. Was it no
longer in his possession or did he just refuse to return it, and if
so, did the practice seek a court order? And why did he grab the
information?  There’s no doubt in my mind that this is a reportable
breach under HITECH, but it would be nice to know his motivation in
taking the files and his reasons for refusing to return them.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.