Four Massachusetts hospital patients at risk after illegal dumping is discovered
|
Date Reported:
8/13/10
Organization:
Milton Hospital
Caritas Christi Health Care
Milford Hospital
Holyoke Medical Center
Contractor/Consultant/Branch:
Goldthwait Associates
Location:
Victims:
Patients
Number Affected:
"thousands", there are an estimated 8,000 - 12,000 patients from Milton Hospital; Holyoke puts the number between 16,000 and 24,000 patients.
Types of Data:
"individuals' full names, addresses, dates of birth, Social Security numbers, insurance information including policy numbers, patient identification numbers, as well as protected health information including diagnoses relating to pathology tests"
Breach Description:
A Boston Globe photographer discovered thousands of billing records from four area hospitals at an transfer station (dump) in Georgetown, Massachusetts. The confidential records were allegedly discarded (unsecurely) by the hospitals' common billing services provider, Goldthwaite Associates.
Reference URL:
The Patriot Ledger
The Boston Globe
Milton Hospital
Caritas Christi Health Care
Report Credit:
Liz Kowalczyk, The Boston Globe
Response:
From the online sources cited above:
Four Massachusetts community hospitals are investigating how thousands of patient health records, some containing Social Security numbers and sensitive medical diagnoses, ended up in a pile at a public dump.
The unshredded records included pathology reports with patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages.
[Evan] Holy cow. This is some very sensitive and potentially damaging personal information. Social Security numbers, insurance policy numbers, and patient identification numbers were also involved.
By law, medical records and documents containing personal identifying information must be disposed of in a way that protects privacy, and leaving them at a dump is probably illegal, privacy lawyers and hospital officials said.
[Evan] This most definitely is illegal. The acts that led to this breach are not compliant with Massachusetts 201 CMR 17.00 and HIPAA/HITECH. There is really no question about it.
Violators face steep fines.
A Globe photographer discovered the records July 26 when he was dumping his trash at the Georgetown Transfer Station.
When he got out of his car, he said, he saw a huge pile of paper about 20 feet wide by 20 feet long. Upset that the paper wasn’t being recycled, he looked more closely.
The photographer said he saw health and insurance records from at least four hospitals and their pathology groups — Milford, Holyoke, Carney, and Milton — mostly dated 2009.
[Evan] In actuality, breaches like this are very common. The practices surrounding confidential hard copy (paper) destruction are not closely scrutinized. Detailed auditing for compliance can be very challenging, especially when it comes to third-party vendors. Most auditors simply ask about the data destruction practices, and leave it at that. We have started to see companies securely shred all documents, not just those containing sensitive information. They are moving this way in an effort to account for all sensitive documents.
The Globe notified the hospitals.
It is unclear how many other hospitals’ records might have been discarded in the dump.
Hospital executives and pathologists said they are distraught about the violation of patient privacy and, as required by law, are developing plans to notify the thousands of patients whose records may have been left at the dump.
[Evan] This is not going to be cheap.
The hospitals said they also plan to formally notify the Massachusetts attorney general’s office; preliminary information has already been passed along.
Based on that, the attorney general’s office said in a statement it is reviewing “whether there has been a data breach.’’
[Evan] Uh, I think we are pretty safe to assume that this was/is a data breach.
Executives at two hospitals said the former owner of a medical billing company used by pathologists told them he had the records dumped in Georgetown.
“I was absolutely shocked,’’ said Dr. Kevin Dole, a pathologist at Caritas Carney Hospital. “We are trying to figure out the extent of the problem. We’re very concerned here about protecting patient data.’’
In this case, the hospitals transferred patient information to the pathologists they contract with, who in turn provided some of it to a Massachusetts company, Goldthwait Associates, that does their billing.
“This is a perfect example of how complicated the security of confidential information is,’’ said Clark Fenn, vice president for quality improvement, risk management, and corporate compliance at Holyoke Medical Center. “There are many hands that touch things. All it takes is one slip in that process for information to be released.’
[Evan] Information security is not "complicated". Unfortunately, there are too many poor information security practitioners who have given our profession a bad reputation. Too many poor practitioners have made information security appear to be complicated. Good information security programs are thorough, but uncomplicated. Don't confuse thorough with complicated. People will not follow complicated security requirements, and thus, you will have no compliance.
Goldthwait was purchased around June 1.
The new owner’s lawyer, Anthony Turco, said the new owner took records only from 2010, and any older records would have been disposed of by the former owner, Joseph Gagnon.
[Evan] Ouch! Called out by name.
Contacted at his home in Marblehead, Gagnon said, “I really can’t comment on that because it might become a legal matter.’’
David Szabo, a partner at the Boston law firm Edwards Angell Palmer & Dodge who specializes in health care and privacy law, said state law requires records containing personal identifying information, such as names and Social Security numbers, to be disposed of so it is unreadable.
Federal law governing health records has similar requirements. Shredding and incineration are considered the standard methods that meet the law, he said.
Goldthwait employees come to hospital pathology labs and print out the information they need to bill insurers — or the pathologists mail the information to the company.
Dole, the Carney pathologist, said he required Gagnon to sign an amendment to their contract in 2003 stating that he would dispose of the paper in a way that complied with newly passed federal legislation designed to protect patients’ health information — though the amendment did not specify exactly how Gagnon would do that.
[Evan] Including this language in contracts is a great practice, but compliance should be measured on a regular basis. We suggest that most contracts contain right to audit language which allows the customer company to inquire about information security compliance. Don't expect a contract by itself to ensure information security compliance.
At Holyoke Medical Center, pathologist Dr. John Blanchette said he does not know what the group’s contract with Goldthwait said about disposal, but “we had an understanding that they know how to dispose of medical records.
[Evan] Compliance requires more active engagement than a simple "understanding".
We’ve done business with this company for 22 years and we’re pretty upset about this. Everything as far as we knew was fine.’’
[Evan] Operating under blind assumptions that a vendor is doing what they said they would do can be dangerous. It really doesn't work. Organizations who employ third-parties must actively assess the risks involved in doing business with their third-party providers.
Hospital officials said they are struggling with the legal issues surrounding the dumping.
They believe the records dumped went back two or three years.
They have to search for every patient who had pathology testing during that period and determine which patients need to be notified.
Jason Bouffard, Milton Hospital spokesman, estimates that number between 8,000 and 12,000 patients; Holyoke puts the number between 16,000 and 24,000 patients.
Then officials have to determine who is legally responsible for notifying patients — the hospitals, the doctors, or Goldthwait.
[Evan] This is pretty easy. Unless the contract specifically states otherwise, the hospitals are responsible for notification. We need to understand roles and responsibilities. The owners of the information are the victims. The custodians of the information are the hospitals. A case could be made that the Goldthwaite Associates assumed custodianship, but in my mind this is discounted because it was not clear to the data owner.
Milton and Holyoke said they will take responsibility for notifying patients, while Carney said it will do so if need be. Milford has just started its investigation.
Commentary:
Poor data destruction practices on the part of a third-party provider leads to a breach. From the hospital's perspective, what could have been done to prevent this? Active audits of the information security practices used by the provider? Active enforcement of hospital information security requirements? A combination of the two? I have my ideas as I always do. ;) What are yours?
Past Breaches:
Unknown
Posted by Evan Francen at 8/25/2010 8:59 PM 
Categories: Milford Hospital, Insecure Discard, Caritas Christi Health Care, Milton Hospital, Holyoke Medical Center, Goldthwait Associates
Categories: Milford Hospital, Insecure Discard, Caritas Christi Health Care, Milton Hospital, Holyoke Medical Center, Goldthwait Associates
Posts Atom 1.0
Comments