DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Eureka Internal Medicine notifies patients of potential disclosure of their information

Posted on March 4, 2014 by Dissent

Eureka Internal Medicine in Eureka, California notified patients of a HIPAA breach that was discovered in October 2013.

According to a notification from their lawyers:

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged. As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding. We have no way of knowing if any of your personal health information was included in the special recycle bins during the time they were emptied in the regular trash. Information that may have been in the recycle bins includes:

  • Full Name,
  • Social Security Number,
  • Insurance plan information, and
  • Medical information.

You can read the full letter on the California Attorney General’s website (pdf).

It is not clear to me why this notice was just sent now to the California Attorney General’s Office. Are they first notifying patients five months after discovery of the breach, or did they simply forget to notify the state but notified patients month ago? The metadata on the undated template of the notification letter indicates it was created in October 2013.

An undated notice on EIM’s website linked prominently from their homepage, says:

Eureka Internal Medicine assures its patients that the security, confidentiality, integrity and privacy of patient personal information are of the utmost importance. Unfortunately, a potential breach of patient information was recently discovered by Eureka Internal Medicine.

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged, as was Eureka Internal Medicine’s long standing practice.  As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding.  Information that may have been in the recycle bins that were improperly handled included full patient names, social security numbers, insurance plan information and some medical information.

We believe there is a very low likelihood that any of this information was obtained by outside people, however, we have sent a breach notification to each of our patients.

Please direct any inquiries to our attorneys, Schuering Zimmerman & Doyle, LLP, by calling their toll free number (888) 233-2305.

Which raises a second question for me: it’s one thing for lawyers to handle notifications to the states, but do patients want to get a breach notification letter from a law firm or from their doctor? Does getting notified by lawyers put patients off or do they find it reassuring? And does having a lawyer send a notification letter make lawsuits over the breach less or more likely?

Someone should try to research these questions, if they haven’t already. If any reader knows of such research already, please let me know.

Update: on Twitter, Glen Turpin reminded me that if the patient/customer doesn’t know the third party vendor that had a breach, getting a letter from them may not mean much. It’s a good point, and I’ll reframe my question as to whether consumers/patients prefer letters from the party they had the relationship with or from some party’s lawyers.  Maybe if it’s a third party breach involving a service provider that is not well known to the public, a letter from their lawyers may help convince the recipient it’s a legitimate breach notice.  But if your doctor or merchant had a breach, do you want the letter to come from them or their lawyers?

Category: Uncategorized

Post navigation

← EMC notifying some employees after vendor error disclosed their names and SSNs to unauthorized parties
Thermo Fisher Scientific notifies employees after laptop with their SSN is stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.