CORRECTION: In response to the original post, below, I received the following e-mail from Texas Health:
Good morning. Just an FYI that we did notify these patients within the 60-day timeframe. The problem is that in our efforts to keep the press release at the top of our news page and easy for people to find, we have to repost it – and it gets tagged with the current date. And every time we do that, it’s resent to people who are signed up for our news feed. That includes reporters. In addition to the ‘new’ date, we left the phrasing “announced today” in the copy. It should have read “July 2013.” So we’ll try to make that more clear in the future. Thanks for being such advocates for patient privacy.
PHIprivacy.net appreciates Texas Health’s clarification.
Original post:
Five months after discovery of breach, Texas Health Harris Methodist Hospital Fort Worth notifying patients
Remember that incident involving Texas Health Harris Methodist Hospital Fort Worth and their vendor Shred-It? The breach involving microfiche records of over 275,000 patients was disclosed in July. According to the hospital, the microfiche records may have included patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information, and in some instances Social Security numbers.
I was surprised to learn that Texas Health Harris Methodist Hospital Fort Worth is first sending out notification letters now.
Given that they first learned of a problem in May, will HHS find this delay in notification acceptable? It certainly exceeds the 60-day timeframe.