Patient information found in a California dumpster
Technorati Tag: Security Breach
Date Reported:
12/3/08
Organization:
Ralph Cummings, M.D.
Contractor/Consultant/Branch:
None
Location:
Laguna Hills, California
Victims:
Himself and patients
Number Affected:
Unknown
Types of Data:
"confidential patient information, such as Social Security numbers and personal medical history"
Breach Description:
"LAGUNA HILLS - Boxes with documents detailing confidential patient information, such as Social Security numbers and personal medical history, were found discarded next to a medical office building, which officials said could be a violation of patient confidentiality laws."
Reference URL:
The Orange County Register
Report Credit:
Salvador Hernandez, The Orange County Register and a special thanks to Rob Douglas from InsideIDTheft.info
Response:
From the online sources cited above:
LAGUNA HILLS - Boxes with documents detailing confidential patient information, such as Social Security numbers and personal medical history, were found discarded next to a medical office building, which officials said could be a violation of patient confidentiality laws.
[Evan] Dumpsters are a great place to find all kinds of things. The "One man's garbage is another man's treasure" cliche couldn't be more true.
The documents, which were retrieved by a doctor about 90 minutes after they were discovered, could have exposed patients to identity theft and could be a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
[Evan] Not "could have exposed". This information WAS exposed, but only for a short time. The short time reduces the risk of exploitation (i.e. fraud). I know I am nitpicking, but one of the purposes of The Breach Blog is to educate.
Sheriff's officials were called about the discovery of the files at 5:04 p.m. on Nov. 26.
The caller described boxes of private medical records that were found in a trash bin in the rear of a medical building at 24953 Paseo de Valencia.
[Evan] The discarded information wasn't in just a few file folders, but were in "boxes". Can we make assumptions then as to the amount of information that was exposed?
The documents included private information including Social Security numbers and patient medical histories, said Lt. Ted Boyne of the Orange County Sheriff's Department.
Ralph Cummings, one of several doctors whose office sits on the second floor of the building, was called to the building to retrieve the documents.
Cummings said the files were mostly his personal financial records, and could recall only one file that included a patient's personal information.
[Evan] This is hard for me to understand. People typically protect themselves more than they protect others. We typically look out for our own best interests first. Dr. Cummings discarded his own financial records in the dumpster and only one patient file somehow got mixed in (his recollection)? Are billing records part of financial records? If so, don't many billing records (for right or wrong) contain patient Social Security numbers, names, addresses, and telephone numbers?
How that file was mixed in with financial records, he did not know, he said.
"I can't speculate to that," Cummings said. "We do not and have not dumped medical records in the trash. We are aware of the guidelines."
According to a statement issued by the Office of Civil Rights at the U.S. Department of Health and Human Services, the Health Accountability Act does not require a specific method to dispose of medical documents, but requires entities covered by the rule to "implement reasonable safeguards to protect the privacy of identifiable health information, including when records are disposed of."
[Evan] If we managed information security according only to the laws, rules and regulations, we are seriously remiss.
"The rule does not specifically require a particular method of disposal, but is flexible given the many health care settings and types of entities it covers,"
"However, shredding would be a reasonable safeguard when it comes to disposal and, of course, simply placing records in a dumpster where anyone can access them is not."
[Evan] Common sense?
John McDonald, a spokesman with the sheriff's department, said it is unclear exactly how many patient files were in the trash container.
The deputy at the scene did not make a report on the incident because it was not clear whether a crime had been committed
[Evan] This is too bad. I don't fault the deputy by any means, but it would be nice to have more law enforcement personnel trained in the handling of breaches and other information-related incidents. An inventory of the exposed information would really help in the response.
sheriff's officials are reviewing the case to see what agency would handle such incidents
"You're basically exposing the people whose records they were," McDonald said.
About an hour after the documents were reported, Cummings was reported to be on his way to retrieve the documents.
"He was basically instructed to dispose of the documents properly," McDonald said. "They were sensitive material that shouldn't be left like that."
The documents were found in a trash bin that is enclosed by a brick wall and an unlocked wooden door.
Signs posted nearby state that the area is under surveillance and a camera points directly into the trash bin.
[Evan] Surveillance can be a good detective/investigative control and the sign could serve as a deterrent (preventative control). In this case, neither would be sufficient in my opinion. How is the information protected after the garbage company comes to pick-up? Does anyone review the footage captured by the camera? If so, regularly or only in response to an incident (meaning if no incident is reported, there is no review)? You get the point.
A picture of the dumpster and "security notice", Source: The Orange County Register
Another picture of the dumpster area, from a different angle (I added the circle and arrow), Source: The Orange County Register.
When first contacted by telephone, Cummings said he did not recall the incident.
[Evan] Does Dr. Cummings have a recollection (memory) problem? I don't mean this to be derogatory. Is it fair to state that normal people tend to forget things that aren't important to them, or don't have a significant affect on them personally? I don't know, he's the doctor.
"I don't recall that," he said. "We don't dump documents."
Later in the phone conversation, Cummings said he did recall being called about the documents, but said they were not patient documents.
"They weren't patient files," he said. "I checked my files and we have nothing missing."
After being told about the call to the sheriff's department regarding the documents, Cummings said there was one patient file included in several personal financial documents that he threw away, but no more.
In 2007, the Office for Civil Rights at the U.S. Department of Health and Human services closed 2,110 complaints regarding possible HIPAA violations in California. Of those cases, 477 cases were investigated and 273 required corrective action.
"If we determine a violation has occurred, then we determine whether criminal or civil penalties apply," according to the statement issued by the department. "A knowing disclosure in violation of the rule is subject to criminal penalties, and we have referred over 200 cases to the Department of Justice for pursuit of potential criminal violations."
Civil penalties could incur a fine of $100 for each violation. Knowingly obtaining or disclosing identifiable information could result in fines of $50,000, $100,000, or $250,000 and possible imprisonment.
[Evan] I can only recall one corrective action taken that was significant enough to catch the attention of the press. Earlier this year, Providence Health & Services was fined $100,000 and agreed to "implement a detailed Corrective Action Plan". This corrective action was largely in response to events affecting the personal information belonging to 386,000 Providence patients.
Cummings said his office is aware of guidelines and does not dump patient files. When discarded, personal medical files from his office are either burned or shredded, he said.
Commentary:
Most of my comments were outlined above. I made plenty. Maybe I am just in a commenting type of mood today. Dr. Cummings is probably an excellent doctor and it is unfortunate that an incident like this detracts from that.
If you are so inclined, take a peek into the dumpsters at your work and around your town. You might be surprised with what you find.
Past Breaches:
Unknown
Date Reported: 12/3/08
Organization:
Ralph Cummings, M.D.
Contractor/Consultant/Branch:
None
Location:
Laguna Hills, California
Victims:
Himself and patients
Number Affected:
Unknown
Types of Data:
"confidential patient information, such as Social Security numbers and personal medical history"
Breach Description:
"LAGUNA HILLS - Boxes with documents detailing confidential patient information, such as Social Security numbers and personal medical history, were found discarded next to a medical office building, which officials said could be a violation of patient confidentiality laws."
Reference URL:
The Orange County Register
Report Credit:
Salvador Hernandez, The Orange County Register and a special thanks to Rob Douglas from InsideIDTheft.info
Response:
From the online sources cited above:
LAGUNA HILLS - Boxes with documents detailing confidential patient information, such as Social Security numbers and personal medical history, were found discarded next to a medical office building, which officials said could be a violation of patient confidentiality laws.
[Evan] Dumpsters are a great place to find all kinds of things. The "One man's garbage is another man's treasure" cliche couldn't be more true.
The documents, which were retrieved by a doctor about 90 minutes after they were discovered, could have exposed patients to identity theft and could be a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
[Evan] Not "could have exposed". This information WAS exposed, but only for a short time. The short time reduces the risk of exploitation (i.e. fraud). I know I am nitpicking, but one of the purposes of The Breach Blog is to educate.
Sheriff's officials were called about the discovery of the files at 5:04 p.m. on Nov. 26.
The caller described boxes of private medical records that were found in a trash bin in the rear of a medical building at 24953 Paseo de Valencia.
[Evan] The discarded information wasn't in just a few file folders, but were in "boxes". Can we make assumptions then as to the amount of information that was exposed?
The documents included private information including Social Security numbers and patient medical histories, said Lt. Ted Boyne of the Orange County Sheriff's Department.
Ralph Cummings, one of several doctors whose office sits on the second floor of the building, was called to the building to retrieve the documents.
Cummings said the files were mostly his personal financial records, and could recall only one file that included a patient's personal information.
[Evan] This is hard for me to understand. People typically protect themselves more than they protect others. We typically look out for our own best interests first. Dr. Cummings discarded his own financial records in the dumpster and only one patient file somehow got mixed in (his recollection)? Are billing records part of financial records? If so, don't many billing records (for right or wrong) contain patient Social Security numbers, names, addresses, and telephone numbers?
How that file was mixed in with financial records, he did not know, he said.
"I can't speculate to that," Cummings said. "We do not and have not dumped medical records in the trash. We are aware of the guidelines."
According to a statement issued by the Office of Civil Rights at the U.S. Department of Health and Human Services, the Health Accountability Act does not require a specific method to dispose of medical documents, but requires entities covered by the rule to "implement reasonable safeguards to protect the privacy of identifiable health information, including when records are disposed of."
[Evan] If we managed information security according only to the laws, rules and regulations, we are seriously remiss.
"The rule does not specifically require a particular method of disposal, but is flexible given the many health care settings and types of entities it covers,"
"However, shredding would be a reasonable safeguard when it comes to disposal and, of course, simply placing records in a dumpster where anyone can access them is not."
[Evan] Common sense?
John McDonald, a spokesman with the sheriff's department, said it is unclear exactly how many patient files were in the trash container.
The deputy at the scene did not make a report on the incident because it was not clear whether a crime had been committed
[Evan] This is too bad. I don't fault the deputy by any means, but it would be nice to have more law enforcement personnel trained in the handling of breaches and other information-related incidents. An inventory of the exposed information would really help in the response.
sheriff's officials are reviewing the case to see what agency would handle such incidents
"You're basically exposing the people whose records they were," McDonald said.
About an hour after the documents were reported, Cummings was reported to be on his way to retrieve the documents.
"He was basically instructed to dispose of the documents properly," McDonald said. "They were sensitive material that shouldn't be left like that."
The documents were found in a trash bin that is enclosed by a brick wall and an unlocked wooden door.
Signs posted nearby state that the area is under surveillance and a camera points directly into the trash bin.
[Evan] Surveillance can be a good detective/investigative control and the sign could serve as a deterrent (preventative control). In this case, neither would be sufficient in my opinion. How is the information protected after the garbage company comes to pick-up? Does anyone review the footage captured by the camera? If so, regularly or only in response to an incident (meaning if no incident is reported, there is no review)? You get the point.
When first contacted by telephone, Cummings said he did not recall the incident.
[Evan] Does Dr. Cummings have a recollection (memory) problem? I don't mean this to be derogatory. Is it fair to state that normal people tend to forget things that aren't important to them, or don't have a significant affect on them personally? I don't know, he's the doctor.
"I don't recall that," he said. "We don't dump documents."
Later in the phone conversation, Cummings said he did recall being called about the documents, but said they were not patient documents.
"They weren't patient files," he said. "I checked my files and we have nothing missing."
After being told about the call to the sheriff's department regarding the documents, Cummings said there was one patient file included in several personal financial documents that he threw away, but no more.
In 2007, the Office for Civil Rights at the U.S. Department of Health and Human services closed 2,110 complaints regarding possible HIPAA violations in California. Of those cases, 477 cases were investigated and 273 required corrective action.
"If we determine a violation has occurred, then we determine whether criminal or civil penalties apply," according to the statement issued by the department. "A knowing disclosure in violation of the rule is subject to criminal penalties, and we have referred over 200 cases to the Department of Justice for pursuit of potential criminal violations."
Civil penalties could incur a fine of $100 for each violation. Knowingly obtaining or disclosing identifiable information could result in fines of $50,000, $100,000, or $250,000 and possible imprisonment.
[Evan] I can only recall one corrective action taken that was significant enough to catch the attention of the press. Earlier this year, Providence Health & Services was fined $100,000 and agreed to "implement a detailed Corrective Action Plan". This corrective action was largely in response to events affecting the personal information belonging to 386,000 Providence patients.
Cummings said his office is aware of guidelines and does not dump patient files. When discarded, personal medical files from his office are either burned or shredded, he said.
Commentary:
Most of my comments were outlined above. I made plenty. Maybe I am just in a commenting type of mood today. Dr. Cummings is probably an excellent doctor and it is unfortunate that an incident like this detracts from that.
If you are so inclined, take a peek into the dumpsters at your work and around your town. You might be surprised with what you find.
Past Breaches:
Unknown
Dr. Cummings has a real good attitude. I bet I could make a jury bust his butt so bad it would be hurting his grandchildren yet unborn. Arrogant people like him who come up with obvious BS rather than to try and correct their mistakes are usually so arrogant they do not even realize how they come across. Does he really believe that his patients believe his BS story?
Reply to this