Burglaries in Corpus Christi and San Francisco Resulted in PHI Breach

Patients of two HIPAA-covered entities received notification that their protected health information (PHI) was compromised due to burglaries. The first incident involved two Christus Spohn Hospitals in Corpus Christi. On April 16, 2018, an employee of Christus Spohn was burgled. The stolen PHI included the patients’ names, dates of service, dates of birth, ages, medical record numbers, account numbers and other health data. The Social Security numbers, driver’s license numbers or other financial information of the patients were not compromised.

The patients whose PHI was stolen were those previously treated at Christus Spohn Health System’s Memorial or Shoreline hospitals. The good news is, no report has been received yet regarding the misuse of the patients’ information. This breach incident has affected around 1,800 patients. The hospital has already taken the necessary steps to avoid the occurrence of a similar incident. The employee involved in the burglary also underwent additional training to make sure he fully understands what he must do to protect the PHI of patients.

The second burglary incident happened in the Pacific Heights office of San Francisco acupuncturist Denise M. Bowden on April 28/29. Her office was ransacked and the thief stole a computer that contained some of her patients’ PHI. Ms. Bowden only knew about the incident on April 30, 2018.  The compromised PHI included the names of patients, addresses, telephone numbers, diagnosis  codes, dates of service and details of health insurance. Patients’ financial information or Social Security numbers were not stored in the computer.

The stolen computer was protected by password, but patient information was not encrypted. Therefore, there is still the possibility that unauthorized persons can view the patients’ PHI. To date, there’s no report received that would indicate the access of information contained in the computer or its misuse. Ms. Bowen notified her patients by mail regarding the data breach on June 11, 2018.