DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Eureka Internal Medicine notifies patients of potential disclosure of their information

Posted on March 4, 2014 by Dissent

Eureka Internal Medicine in Eureka, California notified patients of a HIPAA breach that was discovered in October 2013.

According to a notification from their lawyers:

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged. As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding. We have no way of knowing if any of your personal health information was included in the special recycle bins during the time they were emptied in the regular trash. Information that may have been in the recycle bins includes:

  • Full Name,
  • Social Security Number,
  • Insurance plan information, and
  • Medical information.

You can read the full letter on the California Attorney General’s website (pdf).

It is not clear to me why this notice was just sent now to the California Attorney General’s Office. Are they first notifying patients five months after discovery of the breach, or did they simply forget to notify the state but notified patients month ago? The metadata on the undated template of the notification letter indicates it was created in October 2013.

An undated notice on EIM’s website linked prominently from their homepage, says:

Eureka Internal Medicine assures its patients that the security, confidentiality, integrity and privacy of patient personal information are of the utmost importance. Unfortunately, a potential breach of patient information was recently discovered by Eureka Internal Medicine.

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged, as was Eureka Internal Medicine’s long standing practice.  As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding.  Information that may have been in the recycle bins that were improperly handled included full patient names, social security numbers, insurance plan information and some medical information.

We believe there is a very low likelihood that any of this information was obtained by outside people, however, we have sent a breach notification to each of our patients.

Please direct any inquiries to our attorneys, Schuering Zimmerman & Doyle, LLP, by calling their toll free number (888) 233-2305.

Which raises a second question for me: it’s one thing for lawyers to handle notifications to the states, but do patients want to get a breach notification letter from a law firm or from their doctor? Does getting notified by lawyers put patients off or do they find it reassuring? And does having a lawyer send a notification letter make lawsuits over the breach less or more likely?

Someone should try to research these questions, if they haven’t already. If any reader knows of such research already, please let me know.

Update: on Twitter, Glen Turpin reminded me that if the patient/customer doesn’t know the third party vendor that had a breach, getting a letter from them may not mean much. It’s a good point, and I’ll reframe my question as to whether consumers/patients prefer letters from the party they had the relationship with or from some party’s lawyers.  Maybe if it’s a third party breach involving a service provider that is not well known to the public, a letter from their lawyers may help convince the recipient it’s a legitimate breach notice.  But if your doctor or merchant had a breach, do you want the letter to come from them or their lawyers?


Related:

  • Maintenance Note
  • CISA Alert: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
  • System Status Note
  • System Status Note
  • Fraudster's fake data breach claims should remind media to be careful what we report
  • "Pompompurin" taken into custody after violating conditions of pre-sentencing release on bond (1)
Category: Uncategorized

Post navigation

← EMC notifying some employees after vendor error disclosed their names and SSNs to unauthorized parties
Thermo Fisher Scientific notifies employees after laptop with their SSN is stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app
  • Au: Qantas hackers gave airline 72-hour deadline
  • Honeywell vulnerability exposes building systems to cyber attacks
  • Recent public service announcements of note — parents should take special note of these
  • Au: Junior doctor faces fresh toilet spying charges as probe widens to other major hospitals

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report