DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Medical Records Stolen From Unlocked Hospital Boxes

Posted on November 9, 2011 by Dissent

Colleen Henry reports on a breach involving Columbia-St. Mary’s Ozaukee Hospital in Wisconsin that highlights some recurring problems with both breaches and breach notifications. I’m excerpting her excellent reporting to make a few points:

Investigators said a janitor fed patient records to gang members. The lead investigator said a sworn statement that a janitor had access to a master key that opened most every room in the building, even though he had been a discipline problem.

It’s how easily the janitor accessed the records that are causing alarm.

While the hospital paid an outside firm to shred patient documents, records indicate the janitor accessed records from unsecured shredding boxes in the hospital with broken locks.

Police believe the scheme went on for months before being discovered.

This is not the first time we’ve seen a breach involving janitorial staff. In some cases, the staff were direct employees of the covered entity while in other cases, they were employees of a contracted service. But how well do you really investigate cleaning staff and the people with the keys to your kingdom?

But four years after the breach was discovered, many patients still have no idea their personal information may have been stolen.

Columbia St. Mary’s chose not to notify all its patients of the breach. They determined that only a few patients were affected.

“This is a situation that involved less than 10 people,” said Columbia-St. Mary’s spokeswoman Deborah Friberg. “All of those individuals were notified at the time.”

But the Sellers family was not told of the potential theft of their loved ones records.

“The way my mother found out, through a third-party and not the hospital themselves after they knew this had happened, was appalling,” Sellers said.

In this type of situation, the entity cannot really know with complete assurance whose data have been stolen because the breach went on for months before being discovered. The hospital may have known for sure that 10 people were affected, but could it really be sure no others were at risk? Could gang members have re-sold information to others who would use it at another time?

The Sellers family sued Columbia-St. Mary’s for negligence and for violating their father’s right to privacy. The hospital fought the lawsuit arguing that it, too, was a victim of a rogue employee who violated work rules and there was not liable for negligence under Wisconsin law.

The judge dismissed the Sellers’ case last month, finding that Columbia-St. Mary’s was not legally responsible for the misconduct of its janitor. The judge also ordered the Sellers family to pay the hospital’s legal costs- $30,000.

I don’t know Wisconsin law, but saying that a firm is not responsible for the misconduct of its employee means that their assurances of privacy and security are pretty much b-sh*t. What are they saying, “We will keep your data secure and private, but you can’t be assured our employees will?”

12 News obtained court documents that state the scheme went on for as long as eight months and investigators seized nearly 30 patient records in a sting operation.

So were the other 20 patients notified by the hospital? HITECH may not have been in effect when the breach occurred by HIPAA went into effect in 1996. A hospital spokesperson told the reporter:

“There was no rationale for doing something on a broader scale given the information we had at the time,” Friberg said.

An “abundance of caution” might have been a more appropriate and helpful response here.

Read the full report on WISN and see what you think. I do not think the hospital made the best decisions here.

Category: Uncategorized

Post navigation

← SC: Confidential Patient Information Found on Hard Drive
OH: Rash Of ID Thefts Linked To Delaware County Store →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.