Granger Clinic may have lost patients’ appointment documents

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.sltrib.com/sltrib/news/56048214-78/records-clinic-medical-breach.html.csp

A West Valley City-based medical clinic has alerted federal health
officials of a possible data breach after a collection of about 2,600
medical appointment records slated for shredding went missing.

The Granger Medical Clinic records had been printed from an electronic
scheduling database and included the names of patients, the dates and
times of appointments and the reason for the medical visit, said
Steven Hester, the clinic’s attorney. All of the records were from
2012.

No addresses, birth dates, medical claim information, Social Security
numbers or financial information, including credit card numbers, were
included in the records, Hester said. Some of the documents contained
an internal medical record number, but those numbers would not be
useful outside the clinic.

Staff discovered the records were missing on Jan. 22 and an internal
investigation was launched, he said. Letters were sent to the affected
clinic patients on Friday, the same day a news release was issued.

The Health Insurance Portability and Accountability Act — known more
commonly as HIPAA — requires a records breach to be reported to
federal officials, the affected patients and the media. The law
requires notification within 60 days of an identified breach, the HHS
web site states.

"The clinic is taking this very, very seriously," Hester said. "We
have reported it to the Department of Health and Human Services. They
haven’t initiated an investigation, but we anticipate that they will."

HIPAA defines a breach as any use or disclosure that compromised the
security or privacy of health information that poses a risk of
financial, reputation or other harm to the affected person.

To date there has been no indication that any of the information has
been used for any improper purpose, Hester said.

Sheila Walsh-McDonald, the data security ombudsman for the Utah
Department of Health, was unaware of the Granger breach, but said
there is no law requiring the clinic to notify state
officials.Walsh-McDonald was appointed by Gov. Gary Herbert last year
after computer hackers broke into a poorly-protected government server
and stole Social Security numbers for up to 280,000 people.
Less-sensitive data on another 500,000 Utahns was also taken.

Public health officials are concerned about the volume of medical
records and the types of information that could potentially be made
public in any breach.

"We just have to be vigilant all the time and staff need to fully
understand all of the implications," she said.

Hester said Granger is implementing new data procedures and retraining
staff to guard against future losses of data or documents. The changes
include ending the policy of printing and shredding patient
appointment records, he said.

Despite the internal investigation, Hester said it’s not clear what
happened to the Granger records.

The documents, which represent only a fraction of the estimated 60,000
patients on Granger’s books, were thought to have been stored in a
secure location, but could not be located when it came time for them
to be shredded.

It also remains possible that the records were actually destroyed, but
no one at the clinic made an adequate record of that action, he said.

"We don’t know for sure," Hester said. "There’s a chance it’s not a
breach, but we’re acting out of caution."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.