I’ve occasionally reported news stories concerning the theft of x-ray films containing personally identifiable information. Here’s another example from HHS’s latest update to the breach tool: Thomas Jefferson University Hospitals in Pennsylvania notified 3,150 patients after x-ray films were stolen on September 6. The hospital posted a notice linked from its home page.
A search of HHS’s breach tool reveals that there have been four breach reports concerning stolen x-ray films since September 2009 when mandated reported began, but I’m aware of a number of other such cases that have not (yet?) appeared on the breach tool.
In August, Harvard University Health Services reported the theft of over 1,000 films. An arrest was made in that case two weeks later. The same individual may have been involved from the theft of films from Anna Jacques Hospital, also in Massachusetts. Portsmouth Hospital in New Hampshire was also victimized, although it is not clear whether the same thieves were involved.
In September, Good Samaritan Hospital in Baltimore reported theft of x-ray films, while two hospitals in Pennsylvania other than Thomas Jefferson University also reported such thefts: Grand View Hospital and Lankenau Hospital.
And these thefts may just be the tip of the iceberg.
Old films may contain some personally identifiable information such as names, gender, dates of birth, dates of service, areas X-rayed and medical record numbers. Even though the thefts are generally for the silver and not for the information, entities have felt responsible for disclosing these breaches.
So…. have you increased the security around your discarded x-ray films? If not, consider the cost of breach notifications and the hassles that may ensue and take steps to improve security.