An incident previously reported on this blog involving paper records left behind and exposed at the now-closed Riverside Mercy Hospital has been reported to HHS.
As an example of how confusing HHS’s breach log tool can be without additional details, here is the log entry:
Riverside Mercy Hospital and Ohio/Mercy Diagnostics,OH,,1000,11/15/2010,Improper Disposal,Paper Records,1/4/2011
Based on only the log, one might think that the breach occurred in November 2010 instead of back in 2002 or 2003. And what role did Ohio/Mercy Diagnostics have in the breach? Was it their records that were left behind? We simply don’t know.
Eventually HHS will update its log entry when it closes its investigation on the case. By then, most people will not think to go back and get the additional details to backfill breach analyses. It would be helpful to have more details available at the time an event is posted to HHS’s site, including what types of data were involved – SSN, financial, medical records, insurance account numbers, etc.?