By Katie Wedell @ Dayton Daily News
SPRINGFIELD, Ohio —
Community Mercy Health Partners could face penalties from the federal government for improperly disposing of private medical records after thousands of old laboratory files were found at a Springfield recycling center.
CMHP has 60 days to contact patients whose information was in those files, according to federal regulations. The files included pathology lab requests and results, according to LeRoy Clouser, who discovered the discarded records on Thanksgiving.
“There were thousands of records. Names, dates, pathology requests, all kinds of information, social security numbers,” Clouser said. “That information is totally confidential. And having it here, anybody could have stolen it. This was a whole feast for total identity theft.”
The improper disposal was unintentional, Community Mercy spokesman Dave Lamb said, and to the hospital’s knowledge, no other records have been disposed of in Dumpsters.
“We will review the storage and disposal procedures, particularly older records of this nature,” Lamb said. “We will meet or exceed federal HIPAA guidelines to directly contact any impacted individuals by mail. As part of the notification, we will offer identity protection. We deeply regret any inconvenience this may cause any patients.”
The hospital is still digging through the files to determine exactly how many patients are affected and didn’t say if it determined how the records ended up in the publicly accessible container. No patients have reported identity theft as a result of this incident, Lamb said.
“When records no longer need to be maintained, standard practice is to shred them,” he said.
But Clouser was dropping off items at the Clark County Solid Waste District’s North Recycling Station, 525 E. Home Road, when he opened a container and found a large stack of paperwork and folders with the names Community Mercy Health Partners, Mercy Memorial Hospital, Community Hospital and Springfield Regional Medical Center on them.
He found more files in two other Dumpsters.
A photo he took of the top of one pile shows paperwork labeled Surgical Pathology and Non-Gynecologic, Cytology Requisition Form. The years on the documents visible in the photo ranged from 2005 to 2013.
He called the Springfield Police Division the next day about what he found. They said it wasn’t a criminal matter but alerted Community Mercy. The hospital sent out a security officer.
“I opened up the lid and he’s just about falling over backward,” Clouser said.
The officer told him the hospital has a commercial shredder and couldn’t believe documents would have been dumped like that.
“Springfield Police notified our security that some records were found at a recycling station,” Lamb said. “We responded immediately and retrieved any disposed documents to review.”
Joanne Wright’s old lab results, including her social security number, were included in that stack.
“It’s sad to me to realize just how vulnerable we all are,” she said.
Compared to large data breaches where corporation’s computer systems are hacked, this feels more personal to her.
“Because it’s in your hometown and was done by someone who doesn’t care,” she said.
The U.S. Department of Health and Human Services Office of Civil Rights, which is responsible for enforcing the Health Insurance Portability and Accountability Act known as HIPAA, says in its guidelines that records can’t be placed in the trash.
“Covered entities are not permitted to simply abandon (protected health information) or dispose of it in Dumpsters or other containers that are accessible by the public or other unauthorized persons,” the guidelines say.
However HIPAA privacy and security rules don’t require a particular disposal method. It recommends shredding, burning, pulping or pulverizing paper records so the private information is unreadable.
The Office of Civil Rights investigates when a complaint about a HIPAA violation is filed or investigators can initiate a review based on a media report, spokeswoman Rachel Seeger said.
“Many of (the complaints) involve patient records found in Dumpsters,” she said.
One of the largest recent cases resulted in settlements with two of the country’s biggest pharmacy chains after an Indiana TV station’s investigation reportedly showed employees improperly disposing of pill bottles and labels with patient information.
CVS Pharmacy Inc. agreed to pay a $2.25 million settlement in 2009 and implement a detailed corrective action plan. Rite Aid paid a $1 million settlement in 2010.
Earlier this year a compounding pharmacy in Denver agreed to a $125,000 settlement after a media outlet there uncovered medical documents in a Dumpster on the pharmacy’s property, exposing the private information of more than 1,600 patients.
Seeger couldn’t confirm if any complaint or review has been opened into the Springfield incident because the office has a policy of not commenting on possible or current investigations.
The Springfield News-Sun has filed a request through the Freedom of Information Act for any previous complaints against Community Mercy. Seeger confirmed they haven’t previously had to pay any settlements or monetary penalties.
In April, the Springfield hospital alerted patients to a data breach that occurred in February.
Invoices for about 2,000 patients containing names, addresses, billing codes such as diagnosis and procedural codes, service dates and locations, and account balances were inadvertently sent to incorrect people.
Six individuals may have received invoices not intended for them, Lamb said at the time. No social security numbers or other personal financial information were exposed during that incident.
Once the federal agency investigates, the office can close it by either finding no violation occurred, providing assistance to an organization to fix minor issues or requiring a corrective action plan be implemented.
In the most egregious cases, a monetary penalty can be assessed, Seeger said, but that has occurred less than 30 times since the office’s enforcement efforts began in 2003.
For affected patients like Bonnie Martin, the investigative process is worrisome. Neither she nor Wright has experienced any signs that their identity information has been stolen or compromised.
Her longtime doctor ordered blood work back in 2006 and sent her to a lab at the former Community Hospital, where she believes these documents originated.
“It’s kind of upsetting,” she said.
She wonders if the files possibly got moved to the former Mercy Medical Center building on Fountain Boulevard at some point following the demolition of Community Hospital. Martin worries there could be other sensitive documents still at Mercy.
“I’d really like to know when is all done, who had them and who put them there,” Wright said.
HIPAA violation enforcement by the numbers:
123,065: HIPAA complaints to the U.S. Department of Health and Human Services Office of Civil Rights since 2003.
23,939: Cases resolved by requiring corrective actions in privacy practices.
$22.8 million: Paid in settlements or civil monetary penalties.
The Springfield News-Sun digs into important stories about privacy, including recent coverage of privacy concerns with drones and a data breach earlier this year at Community Mercy Health Partners.