DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Eureka Internal Medicine notifies patients of potential disclosure of their information

Posted on March 4, 2014 by Dissent

Eureka Internal Medicine in Eureka, California notified patients of a HIPAA breach that was discovered in October 2013.

According to a notification from their lawyers:

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged. As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding. We have no way of knowing if any of your personal health information was included in the special recycle bins during the time they were emptied in the regular trash. Information that may have been in the recycle bins includes:

  • Full Name,
  • Social Security Number,
  • Insurance plan information, and
  • Medical information.

You can read the full letter on the California Attorney General’s website (pdf).

It is not clear to me why this notice was just sent now to the California Attorney General’s Office. Are they first notifying patients five months after discovery of the breach, or did they simply forget to notify the state but notified patients month ago? The metadata on the undated template of the notification letter indicates it was created in October 2013.

An undated notice on EIM’s website linked prominently from their homepage, says:

Eureka Internal Medicine assures its patients that the security, confidentiality, integrity and privacy of patient personal information are of the utmost importance. Unfortunately, a potential breach of patient information was recently discovered by Eureka Internal Medicine.

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged, as was Eureka Internal Medicine’s long standing practice.  As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding.  Information that may have been in the recycle bins that were improperly handled included full patient names, social security numbers, insurance plan information and some medical information.

We believe there is a very low likelihood that any of this information was obtained by outside people, however, we have sent a breach notification to each of our patients.

Please direct any inquiries to our attorneys, Schuering Zimmerman & Doyle, LLP, by calling their toll free number (888) 233-2305.

Which raises a second question for me: it’s one thing for lawyers to handle notifications to the states, but do patients want to get a breach notification letter from a law firm or from their doctor? Does getting notified by lawyers put patients off or do they find it reassuring? And does having a lawyer send a notification letter make lawsuits over the breach less or more likely?

Someone should try to research these questions, if they haven’t already. If any reader knows of such research already, please let me know.

Update: on Twitter, Glen Turpin reminded me that if the patient/customer doesn’t know the third party vendor that had a breach, getting a letter from them may not mean much. It’s a good point, and I’ll reframe my question as to whether consumers/patients prefer letters from the party they had the relationship with or from some party’s lawyers.  Maybe if it’s a third party breach involving a service provider that is not well known to the public, a letter from their lawyers may help convince the recipient it’s a legitimate breach notice.  But if your doctor or merchant had a breach, do you want the letter to come from them or their lawyers?

Category: Uncategorized

Post navigation

← EMC notifying some employees after vendor error disclosed their names and SSNs to unauthorized parties
Thermo Fisher Scientific notifies employees after laptop with their SSN is stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.