Patient information on index cards is missing
Technorati Tag: Security Breach
Date Reported:
5/16/08
Organization:
State of Alabama
Contractor/Consultant/Branch:
Department of Mental Health and Mental Retardation
Greil Hospital
Victims:
Patients
Number Affected:
"hundreds of records"
Types of Data:
"name, social security number, and date of birth"
Breach Description:
"The Alabama Department of Mental Health and Mental Retardation has recently discovered that a group of index cards from Greil Hospital in Montgomery, Alabama that contact a limited amount of patient information is missing"
Reference URL:
Alabama Department of Mental Health and Mental Retardation Press Release
Alabama Department of Mental Health and Mental Retardation Breach Notification
WSFA Channel 12 News
Report Credit:
Alabama Department of Mental Health and Mental Retardation
Response:
From the online sources cited above:
The Alabama Department of Mental Health and Mental Retardation has recently discovered that a group of index cards from Greil Hospital in Montgomery, Alabama that contain a limited amount of patient information is missing.
[Evan] Index cards seems like an "old school" method for storing confidential information.
"Several months ago we noticed something irregular in some patient records," explained Dr. John Ziegler of the Alabama Department of Mental Health and Mental Retardation.
Although the cards do not record health information, they contain personal information such as the person's name, social security number and a date of birth.
"We're looking at records and patient information that goes back 5 or 6 years," Ziegler explained.
The department's Bureau of Special Investigations has launched an investigation regarding the matter and affected individuals are being directly notified.
"If these items were stolen, this behavior was not only in violation of our policies but Federal law as well. We have zero tolerance for violation of these policies and if criminal activity has occurred we will pursue prosecution vigorously. We apologize for any anxiety this may cause to patients of their family members.", Commissioner John Houston of the Alabama DMH/MR
To every extent possible, individual notification letters will be sent to the affected individuals.
[Evan] It will be very difficult if not impossible to notify some people.
the department has set up a call center that individuals may use to get information about this situation and learn more about consumer identity protections. The toll free number is 1-. The call center will be open beginning Monday, May 19, 2008, and will operate from 8 am to 8:00 pm Monday-Friday as long as it is needed.
policies and procedures are being scrutinized to determine necessary modifications to help minimize the possibility of any recurrence.
The department has been proactive in staff training and consumer training regarding potential identity theft. The Office of Consumer Rights and Advocacy Protection conducted trainings on "Identity Theft" prevention as recently as last month at the annual consumer Recovery Conference. More than 900 people with mental illnesses attended the conference and had the opportunity to receive the training.
"We take issues surrounding the rights and privacy of the people we server very seriously"
"So far there is no indication that illegal activity has occurred through the use of personal information contained on the missing group of cards"
Commentary:
What controls would need to be in place to adequately protect confidential information stored on index cards? I started to think about this question and came up with so many controls and procedures that I don't think I could make security cost-effective. Electronic security is much less cumbersome.
Does anyone really need access to Social Security numbers at the hospital besides billing?
Past Breaches:
Unknown
Date Reported:5/16/08
Organization:
State of Alabama
Contractor/Consultant/Branch:
Department of Mental Health and Mental Retardation
Greil Hospital
Victims:
Patients
Number Affected:
"hundreds of records"
Types of Data:
"name, social security number, and date of birth"
Breach Description:
"The Alabama Department of Mental Health and Mental Retardation has recently discovered that a group of index cards from Greil Hospital in Montgomery, Alabama that contact a limited amount of patient information is missing"
Reference URL:
Alabama Department of Mental Health and Mental Retardation Press Release
Alabama Department of Mental Health and Mental Retardation Breach Notification
WSFA Channel 12 News
Report Credit:
Alabama Department of Mental Health and Mental Retardation
Response:
From the online sources cited above:
The Alabama Department of Mental Health and Mental Retardation has recently discovered that a group of index cards from Greil Hospital in Montgomery, Alabama that contain a limited amount of patient information is missing.
[Evan] Index cards seems like an "old school" method for storing confidential information.
"Several months ago we noticed something irregular in some patient records," explained Dr. John Ziegler of the Alabama Department of Mental Health and Mental Retardation.
Although the cards do not record health information, they contain personal information such as the person's name, social security number and a date of birth.
"We're looking at records and patient information that goes back 5 or 6 years," Ziegler explained.
The department's Bureau of Special Investigations has launched an investigation regarding the matter and affected individuals are being directly notified.
"If these items were stolen, this behavior was not only in violation of our policies but Federal law as well. We have zero tolerance for violation of these policies and if criminal activity has occurred we will pursue prosecution vigorously. We apologize for any anxiety this may cause to patients of their family members.", Commissioner John Houston of the Alabama DMH/MR
To every extent possible, individual notification letters will be sent to the affected individuals.
[Evan] It will be very difficult if not impossible to notify some people.
the department has set up a call center that individuals may use to get information about this situation and learn more about consumer identity protections. The toll free number is 1-. The call center will be open beginning Monday, May 19, 2008, and will operate from 8 am to 8:00 pm Monday-Friday as long as it is needed.
policies and procedures are being scrutinized to determine necessary modifications to help minimize the possibility of any recurrence.
The department has been proactive in staff training and consumer training regarding potential identity theft. The Office of Consumer Rights and Advocacy Protection conducted trainings on "Identity Theft" prevention as recently as last month at the annual consumer Recovery Conference. More than 900 people with mental illnesses attended the conference and had the opportunity to receive the training.
"We take issues surrounding the rights and privacy of the people we server very seriously"
"So far there is no indication that illegal activity has occurred through the use of personal information contained on the missing group of cards"
Commentary:
What controls would need to be in place to adequately protect confidential information stored on index cards? I started to think about this question and came up with so many controls and procedures that I don't think I could make security cost-effective. Electronic security is much less cumbersome.
Does anyone really need access to Social Security numbers at the hospital besides billing?
Past Breaches:
Unknown
Posted by Evan Francen at 5/26/2008 11:14 AM 
Categories: Greil Hospital, Stolen Documents, State of Alabama
Categories: Greil Hospital, Stolen Documents, State of Alabama
Posts Atom 1.0
Comments