Mega Mess: Records Escape from Disposal TruckIncident Is Largest of Its Kind Reported to HHS
While hacker attacks increasingly pose threats to the electronic patient data held by healthcare sector organizations, yet another healthcare provider has reported a major breach involving the improper disposal of paper and film records.
See Also: Data Center Security Study - The Results
Radiology Regional Center, Fort Myers, Fla., on Feb. 12 reported the breach to the U.S. Department of Health and Human Services and is notifying more than 483,000 individuals.
A Feb. 22 snapshot of HHS' "wall of shame" website of breaches affecting 500 or more individuals shows the incident is the largest health data breach, in terms of the number of individuals notified, that's been reported so far in 2016. The incident is also the largest breach involving lost, stolen or improperly disposed paper or film records since HHS began its tally in 2009.
The incident calls attention to the need for organizations to assess the risks to paper records just as carefully as they do the risks to electronic records, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. Organizations must determine, Greene says, "how paper records are received, stored, transmitted and disposed of. And what are the risks to confidentiality, integrity and availability at each point? They can then make an informed judgment regarding what risks are acceptable, and what risks need to be reduced through further controls, such as onsite shredding."
Troubles in Transit
A statement posted on Radiology Regional Center's website says that on Dec. 19, 2015, Lee County Solid Waste Division, the company responsible for the disposal of the Florida-based radiology services provider's patient records, ran into trouble while it was transporting patient records to an incinerator to be destroyed.
"During transport, a small quantity of records were released on Fowler Street in Fort Myers, Florida," the statement says. "This incident resulted from the condition of the container used by Lee County Solid Waste Division to transport the records and the Lee County driver's failure to properly secure the container door."
The records involved in the incident dated from 2005 to 2012, and may have contained patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers and other medical status and assessment information, as well as certain financial information, the company said.
Also, because Radiology Regional Center reviews images for many physicians and hospitals outside of Florida, the company said patients potentially impacted may not be aware that their X-ray, MRI, CT scan or other type of medical image taken in their home state by their own doctor or hospital may have been sent to Radiology Regional for evaluation. "We maintain copies of the image and your information that your home-state doctor or hospital asks us to review your image," the radiology practice says in its statement.
"As soon as we learned of the incident, every effort was made to retrieve the records, including a foot search of the surrounding area by more than a dozen of our employees and physicians. In an abundance of caution, a second search of the area was conducted by foot on Dec. 21, 2015, and a third was conducted on Dec. 22, 2015. As a result of our numerous searches, we believe that virtually all of the records were retrieved."
Still, Radiology Regional is notifying individuals and regulators of the incident, because "the spill involved paper records [and] we could not confirm exactly whose records were retrieved."
Shawn Elliott, director of business development at Radiology Regional, tells Information Security Media Group that the radiology practice "is confident that most every paper was picked up, but we can't guarantee that. It was a windy day," when the incident occurred. Therefore, because records for 483,000 patients were among the papers being transported by the county waste disposal company, the practice is notifying all those patients, as well as authorities in 23 states, plus HHS.
Until the recent incident, Radiology Regional had been using Lee County's disposal company since 2004 without any problems to transport patient records and other business documents in "secured shipping containers" for shredding and then incineration, Elliott says. "What occurred this time happened because an employee of the county did not properly lock the door of the container," he says. The door of the container is believed to have popped open when the truck hit a pothole, he says.
To ensure an incident like this does not happen again, Radiology Regional is evaluating how paper records are transported and destroyed, and is in discussions with other potential disposal firms, Elliott says. Radiology Regional is no longer using Lee County Solid Waste Division for transporting its records for disposal, he says.
The radiology provider is offering one-year of free credit monitoring to all patients potentially affected.
A spokeswoman for Lee County government, which operates the disposal company, said the incident was caused by a mechanical mishap. "There was a mechanical malfunction even though standard operating procedures were followed," she told ISMG. "An unknown number of records were released from the Lee County Solid Waste container." The contract between Lee County and Radiology Regional Center for transporting materials has been terminated, and the county is no longer providing such services to any similar healthcare entities, she adds.
Another recently reported improper disposal incident affected almost 114,000 individuals. That breach, reported by Community Health Mercy Partners on Jan. 25, involved paper and film records disposed intact in dumpsters at an Ohio recycling center last November.
That incident was discovered on Thanksgiving 2015 by a local resident who was dropping off some items at the recycling center, only to be stunned seeing several dumpsters containing stacks of patient health records, other medical paperwork and folders related to Community Mercy Health Partners' current and former facilities.
Until the Radiology Regional breach was reported to HHS for listing on the wall of shame website, the biggest incident involving paper or film records that were improperly disposed, lost or stolen was an incident reported in 2013 affecting 277,000 patients at Texas Health Harris Methodist Hospital Fort Worth. That incident also stemmed from a business associate, Shred-It International, which improperly disposed in a public dumpster decades-old microfiche records.
A Rampant Problem
Recent breaches involving improper disposal of paper and film records are a reminder that mishandling of old patient information continues to be a major issue.
"Improper disposal of information in all forms is a rampant problem throughout all types of healthcare entities and their business associates," says Rebecca Herold, CEO of consulting firm The Privacy Professor and co-founder of security firm SIMBUS360 (see Insider Blunders Still Common Breach Culprit).
While shredding the documents onsite may have prevented the Radiology Regional incident, "the risk of paper documents falling off a truck may be relatively small and may not merit the additional costs of onsite shredding," says Greene, the attorney. "Hindsight is always 20-20 with breaches like this."
Business associates responsible for the handling of PHI - even when they are destroying patient records - should also always take precautions, says privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group. "Disposal companies entrusted with confidential materials today should have more than one protective barrier - the door - to ensure papers don't escape before they are destroyed," she says. "A single control is simply too weak."
Covered entities and business associates that outsource vital functions to vendors and subcontractors also need to keep an eye on these partners, says privacy attorney David Holtzman, vice president of security firm CynergisTek. "While simply having a business associate agreement in place with the trash hauler was enough to meet their HIPAA Privacy Rule requirements, mere compliance is not enough to appropriately manage that contractors and vendors are appropriately safeguarding the privacy and security of patient information," he says. As in the Radiology Regional Center case, "it was critical to review and assess the steps the solid waste disposal company was taking to safeguard the nearly 500,000 records during the process of destruction."