Earlier this year, Greenville Hospital System University Medical Center notified patients of a breach that does not appear on HHS’s breach tool. Kudos to GreenvilleOnline.com for noticing it and reporting on it.
The undated notice, which is prominently linked from Greenville’s home page, appears to have been created on February 4, 2011:
On December 31, 2010, Greenville Hospital System received notification from a local news station that the station had received an anonymous report that boxes containing patient information were located in a storage structure behind the building which was formerly Allen Bennett Memorial Hospital. As residents of the greater Greenville area know, Allen Bennett Memorial Hospital was closed in August of 2008, when Greer Memorial Hospital was opened, and the Allen Bennett building was donated to the city of Greer. The building was recently sold to Cardinal Real Estate Group, Inc. and is currently unoccupied. The storage structure in question is located at the very back of the property, immediately behind a Greenville County EMS building.
After receiving notification, our first and immediate step was to dispatch our personnel to retrieve the boxes from the storage structure. The boxes are in our possession and are secure. We then began an investigation to determine the content of the boxes, how they came to be in the storage structure and, most importantly, whether the boxes had been accessed by any unauthorized persons and whether additional boxes had been in the storage structure and might have been removed by unauthorized persons.
Here is what we have found, as of February 4, 2011:
- There were twenty two boxes in the storage structure. The boxes contained business office documents of Allen Bennett Memorial Hospital dating from 1990 to 1999.
- There were no medical records in the boxes. However, the business office documents included sign-in sheets (with patient name, time and date of registration, and complaint or reason for visit), cash receipts (with patient name and amount of payment), patient insurance information, face sheets (including diagnosis or treatment), and admission reports (with patient name, date of birth, date of service and some with Social Security Numbers). Also included were certain documents without patient information, such as cash count sheets. These documents contain information related to less than half of the patients treated at Allen Bennett Memorial Hospital during this time period.
- Until the late 1980s, when secure storage space was added in the basement of the Allen Bennett Memorial Hospital building, Hospital business office records were in fact stored in the storage structure, which was secured. We interviewed several individuals who worked in the business office of the Hospital during the relevant period. No one interviewed recalls moving the boxes in question to the storage structure or putting the boxes directly in the structure.
- We requested our independent, contracted security service to examine the storage structure, to determine if there was evidence that the boxes in the storage structure were limited to the boxes that we recovered and to determine if there was any evidence that the materials in those boxes had been exposed to review by an unauthorized individual. The investigation was conducted by a former law enforcement officer with expertise in criminal investigations. His report found that there were no signs that anyone had been inside exploring because the interior of the storage structure and its contents did not show signs of disarray. He concluded, “It does not appear any criminal intent is present nor was there any evidence to show items have been removed from the property.”
- We have interviewed current personnel and physically searched the grounds of the former Allen Bennett Hospital and confirmed that there are no further business office or other documents of Allen Bennett Memorial Hospital stored in storage structures or otherwise left in or about the premises of the Hospital.
Based on our investigation, we have no basis to conclude that business office or other documents containing patient information had been removed from the storage structure or that any of the business office records that were recovered from the storage structure had been subject to any acquisition, access, use or disclosure by an unauthorized person that compromised the security or privacy of the patient information those documents contained.
We will continue to monitor this situation for further developments or relevant information. We are committed to candor and transparency in matters that affect our patients and the communities that we serve and we understand and support the concerns of our community about the privacy of medical and personal information. For that reason, we are providing this notice, so that individuals served by Allen Bennett Memorial Hospital during the period of 1990 to 1999 are aware of this deeply regrettable situation.
Information about medical and credit identity theft is available from the South Carolina Department of Consumer Affairs http://www.scconsumer.gov/education/id_theft.pdf and from the Federal Trade Commission http://www.ftc.gov/bcp/edu/microsites/idtheft/.
If you were a patient of Allen Bennett Memorial Hospital during the period 1990 to 1999, please contact us at this toll-free number 1-888-558-2228 if you have any questions.
Nice disclosure, although it’s not clear to me who was legally responsible for those hospital records. Did GHS take over all records or what is their connection to this? And why doesn’t this appear on HHS’s breach tool?