Texas Breach Affects 277,000

Microfiche Records Slated for Destruction Found in Dumpster
Texas Breach Affects 277,000

After many months without a healthcare data breach affecting more than 100,000 individuals, two such cases have been reported in recent days.

See Also: OnDemand | Realities of Choosing a Response Provider

In the latest incident, Texas Health Harris Methodist Hospital Fort Worth is contacting 277,000 patients to inform them of a breach involving decades-old microfiche medical records that were slated for destruction, but were instead found intact in a public dumpster in a park.

In the other recent incident, the Indiana Family and Social Services Administration is notifying almost 188,000 clients that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate.

A statement about the microfiche incident is posted on the website of Texas Health Resources, the parent company of the hospital. Affected individuals are also being contacted by mail about the incident, a Texas Health Resources spokesman says. The organization has also reported the breach to the Department of Health and Human Services, he notes.

The microfiche contained records of patients admitted to the hospital between 1980 and 1990. The hospital is one of 25 operated by the Arlington, Texas-based health system.

According to the statement, the hospital learned May 13 that a portion of microfiche records provided to a contractor, Shred-it, for secure destruction services had been discovered in a park on May 11 by a local resident.

The resident immediately reported the discovery to the Dallas Police Department, watching over the microfiche until the police arrived, according to the statement. In addition, three sheets of microfiche were also found in two other public areas, the statement notes.

Texas Health Resources recovered the microfiche and began an investigation, determining that Shred-it had not destroyed the microfiche in accordance with its contract requirements.

Records on the microfiche may have included patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information and, in some instances, Social Security numbers, according to the statement.

"We have no knowledge that any of the information included on the microfiche has been accessed or used inappropriately," the statement says.

The Texas Health Resources spokesman notes: "In order to view the records, specialized equipment is needed. You can't read it without it, and that equipment is hard to find." She says microfiche readers are "usually only found in library basements these days."

Nevertheless, Texas Health Resources is offering free credit monitoring services to individuals affected and has set up a call center to answer questions. The healthcare organization is also severing its relationship with Shred-It, says the Texas Health spokesman.

Under the HIPAA Omnibus Rule, business associates - such as Shred-It in this incident - are directly liable for HIPAA non-compliance and breaches. HHS' Office for Civil Rights will begin enforcing HIPAA Omnibus starting on Sept. 23.

Shred-it officials did not immediately respond to a request for comment.

Government Penalty

In an unrelated incident, Shred-it recently agreed to pay the U.S. government a settlement of $300,000, plus legal fees, in a case also involving improperly disposed records.

The settlement, announced in a July 9 Justice Department statement, came following a whistleblower lawsuit filed by the operator of another smaller paper shredding business in Lock Haven, Pa. Another document management services vendor, Iron Mountain, also agreed to pay the federal government a settlement of $800,000 plus legal fees.

The suit alleged that Shred-it and Iron Mountain, both contracted by the government to provide shredding services, did not shred the government's documents to the size required under the General Services Administration's standards. "Accordingly, their claims for payment for these services were false," the Justice Department said.

An Iron Mountain spokesman told Information Security Media Group: "The General Services Administration contract once required government documents to be shredded to a size unattainable by most commercial shredding services. The GSA has since changed the specification to conform with our industry's standards. The U.S. government continues to use Iron Mountain for shredding services today. We settled this suit to avoid the cost and distraction of litigation."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.