A recent update to HHS’s breach tool indicates that the Texas Health Harris Methodist Hospital in Azle, Texas reported a breach involving the PHI of 9,922 patients.
I did locate a breach notice on the hospital’s web site, although it was not immediately apparent from the home page, and I had to click on the “About Us” link on the home page to find a link to the breach notice. The un-dated notice reads:
Texas Health Harris Methodist Hospital Azle is notifying our patients of a breach of unsecured patient health information. Texas Health Azle is under a duty imposed by Texas law to notify patients of breaches of patient information. The breach was confirmed on April 22, 2010 and would have impacted patients who were treated by the hospital’s lab from July 2008 through February 2010.
We want to emphasize that Texas Health Azle believes that there was never any potential harm of identity theft or financial fraud to you in any manner.
What type of information was involved?
A back-up computer disc containing laboratory chemistry exam results was missing from the lab. The back-up computer disc, such as the disc involved in this incident, contained the following information: patient’s name, patient’s date of birth, the date the test was run through the laboratory machine, the date blood was collected from the patient, the date results were reported by the laboratory machine, the abbreviated chemistry panel names (for example: sodium = Na; potassium = K) and the numerical result values (for example: sodium – 135 – 145 mEq/L).
What happened?
The sequence of events to determine the breach of patient privacy occurred as follows:
- On April 22, 2010, the Texas Health Resources (Texas Health) compliance department and the Texas Health Azle compliance and privacy officer received notice that a back-up computer disc containing laboratory chemistry exam results was missing. A compliance and privacy investigation was immediately initiated.
- It was determined that the computer disc contained laboratory chemistry results for the timeframe of July 2008 through February 2010.
- The computer disc was stored in a file drawer in the main laboratory area. On April 7, 2010, laboratory personnel had determined that the computer disc was missing and a thorough search was initiated. The laboratory was completely searched as well as each employee’s locker but the disc was not located.
- Each laboratory employee was interviewed by Human Resources and the Texas Health Azle privacy officer.
- According to the investigation, it appears the computer disc was removed by a Texas Health Azle laboratory employee and information from the disc was sent to Texas Health. Once Texas Health began investigating the incident, a note was received stating the computer disc had been destroyed and that no information had been disclosed.
- Using another Texas Health Azle hospital system, a report was generated to identify patients who had chemistry tests performed during the time period July 2008 through February 2010.
What steps are being taken by Texas Health Azle?
Texas Health conducted a thorough investigation into the incident. As a result of the investigation findings, corrective action was taken with several laboratory employees. Lab employees were re-educated on the Texas Health privacy policy and procedure, with a specific emphasis on reporting obligations and the chain of command when health information is missing. Employees were also coached on the importance of protecting patients’ information.
What steps can you take?
We want to emphasize that Texas Health believes that there was never any potential harm of identity theft or financial fraud to you in any way.
If you desire, you may request a free copy of your credit report. You are entitled to one free report annually from each of the three consumer reporting agencies listed below by going to www.annualcreditreport.com.
Equifax 1-800-525-6285
Experian 1-888-397-3742
Trans Union 1-800-682-7289
Once you receive the credit reports, look for accounts you did not open, inquiries from creditors that you did not initiate, and personal information, such as home address and social security numbers, that are not accurate.
How can I get more information?
Texas Health Azle has trained staff available to take calls if you have questions related to the incident. You may call this number, (800) 227-3597, from 8:00 a.m. to 5:00 p.m. Monday through Friday.
No one from any Texas Health entity will be contacting you or asking you to confirm any of the information that was involved in the incident. Please be alert to such calls and do not provide any personal information to the caller.
We take very seriously our role of safeguarding your personal information and using it in the appropriate manner. Texas Health Azle regrets that this incident has occurred.
So why wasn’t this incident reported to HHS until January 2011? And what does the hospital think the reason was that an employee took the disc and sent them the data? Was the employee trying to make a point about inadequate security or was there some other reason?
And what evidence does the hospital have that the disc really was destroyed?