Several data breaches reported in the last few months involved lost or stolen physical records. To be exact, 5 and 7 HIPAA-covered entities reported breaches involving paper records in October and November, respectively. Last December, there’s another report of data breach involving physical records in Illinois. Payment records of Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC kept in the storage facility in Chicago Heights were missing.
This incident of missing paper records is one of the largest data breaches in recent months. The potential number of patients impacted is 22,000. Boxes of files containing payment records from 2010 and 2015 to 2017 were discovered missing on November 21, 2017. The covered entity issued notifications of data breach on December 13, 2017.
The lost files were discovered missing during a routine records request. Because the files cannot be found, an inventory was conducted. That’s when it was confirmed that 40 boxes of files were missing and most likely stolen. No foul play is suspected.
The records contained patient information such as names, addresses, methods of payment, payment amounts, location of office and credit card numbers (last four digits only). For patients that paid by check, the records also included information such as the bank account number, routing number, and Social Security number. Record files from the year 2010 may also have some information on insurance ID numbers, dates of birth, account numbers, type of visit, provider name and address, procedure codes, diagnoses, description of services and dates of service. As a precautionary response, the provider offered free identity theft protection services to all patients impacted by the breach for two years.