Regional Medical Center Bayonet Point hospital sends records of multiple patients without permission

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.abcactionnews.com/dpp/news/local_news/investigations/regional-medical-center-bayonet-point-hospital-sends-records-of-multiple-patients-without-permission

HUDSON - Requests from patients for medical records are a routine task
for hospitals.  “I went to the hospital and was given a form to fill
out for medical records,” said Micki Thoms.

Thoms asked for her records after undergoing surgery at Regional
Medical Center Bayonet Point in Hudson, and was told they would be
mailed to her.

Days later, the papers arrived in the mail.  As she opened the
envelope and began to look through them, she noticed something was not
quite right. “I read the first name and it wasn’t mine, and I turned
the page and read the second name and it was not mine,” she said.

By the last page, Thoms counted 10 different patient records, complete
with social security numbers. None of them were hers.

We tracked down several patients whose records wound up in her mailbox.

“You just never think it is going to happen to you,” said Melissa, who
does not want her last name used.

The hospital sent out medical records belonging to Melissa’s underage
son. She says she is disappointed the same hospital that cared for him
after a car crash would put him at risk for identity theft.

“That little bit of information could have destroyed my son’s future,
depending on whose hands it got into,” she said.

Some are more upset by the back story than the breach itself.  Thoms
says she called Regional Medical Center Bayonet Point on two different
days, and left one message regarding the records she received.  She
claims no one called back

Then the former patient called us.  We suggested she contact the CEO’s
office.  It was only then the hospital seemed eager to get the
documents back, she said.  We followed Mickey as she returned the
records on July 3.

We asked Bayonet Point about the incident on Monday, July 8.  That was
the same day the hospital typed up letters to patients notifying them
of the breach.

“So, it’s almost as if you had not investigated, would they have even
sent this letter to me?” Melissa questioned.

In an e-mail, hospital spokesperson Kurt Conover responded. "Safe
guarding patient privacy is among our top priorities.  We have
contacted the individuals involved to let them know we are
investigating, and to offer appropriate protective measures to ensure
their peace of mind.

The hospital declined an on-camera interview. They would not say
whether any additional measures have been taken to ensure this doesn’t
happen again.

Meanwhile, Micki Thoms has filed a complaint with the agency for
healthcare administration, which regulates Florida hospitals.

We should mention again that after we contacted the hospital about the
mistake, It appears they did follow the letter of the law in notifying
the patients.

If you want to learn more about HIPAA and your rights, visit
http://www.hhs.gov/ocr/privacy/
.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.