17,000 Patients’ PHI Exposed in Oregon and Massachusetts

The medical records of more than 17,000 patients have been exposed in two data breaches in Oregon and Massachusetts.

Lane County Health and Human Services in Oregon has notified more than 700 patients that some of their protected health information (PHI) has been lost. 49 boxes of patient files were transferred to a temporary storage facility while the Charnelton Clinic in Eugene was renovated. The boxes of files were discovered to be missing during a routine check on June 19.

Several teams took part in the search but the boxes could not be located. Lane County Health and Human Services believes the boxes of records may have been destroyed together with other paper documents as part of its normal document management procedures for non-medical files, but that could not be confirmed.

The information contained in the files included patients’ full names, telephone numbers, addresses, healthcare histories and Social Security numbers. The files related to 566 patients who had visited Community Health Centers in Lane County, and the files of 149 clients of Lane County Developmental Disabilities.

Lane County has notified affected patients about the breach and offered to reimburse the cost of 6 months’ membership of a credit monitoring service. Lane County Health and Human Services has now reviewed its policies and procedures for storing records and has obtained specialized health records storage services to improve security.

New England Dermatology has informed 16,154 patients that some of their PHI has been disposed of incorrectly. Boxes of paper files were disposed of without first rendering the records unreadable and undecipherable, as is required by HIPAA. Paper records containing sensitive information are usually shredded before disposal, but in this case the records were believed to have been taken by its waste contractor before shredding had occurred.

There was no way for New England Dermatology to determine exactly which records were involved so all patients who visited its Northampton office between June 10, 2013 and May 23, 2018 were notified that their PHI may have been exposed.

The information exposed included included names, addresses, and patient information taken during the office visits. No highly sensitive data such as bank account information, credit and debit card details, health insurance information, and Social Security numbers were exposed.

New England Dermatology has since updated its policies on waste disposal to avoid any further incidents of this nature and employees and contractors have received additional training.