DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Eureka Internal Medicine notifies patients of potential disclosure of their information

Posted on March 4, 2014 by Dissent

Eureka Internal Medicine in Eureka, California notified patients of a HIPAA breach that was discovered in October 2013.

According to a notification from their lawyers:

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged. As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding. We have no way of knowing if any of your personal health information was included in the special recycle bins during the time they were emptied in the regular trash. Information that may have been in the recycle bins includes:

  • Full Name,
  • Social Security Number,
  • Insurance plan information, and
  • Medical information.

You can read the full letter on the California Attorney General’s website (pdf).

It is not clear to me why this notice was just sent now to the California Attorney General’s Office. Are they first notifying patients five months after discovery of the breach, or did they simply forget to notify the state but notified patients month ago? The metadata on the undated template of the notification letter indicates it was created in October 2013.

An undated notice on EIM’s website linked prominently from their homepage, says:

Eureka Internal Medicine assures its patients that the security, confidentiality, integrity and privacy of patient personal information are of the utmost importance. Unfortunately, a potential breach of patient information was recently discovered by Eureka Internal Medicine.

From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged, as was Eureka Internal Medicine’s long standing practice.  As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding.  Information that may have been in the recycle bins that were improperly handled included full patient names, social security numbers, insurance plan information and some medical information.

We believe there is a very low likelihood that any of this information was obtained by outside people, however, we have sent a breach notification to each of our patients.

Please direct any inquiries to our attorneys, Schuering Zimmerman & Doyle, LLP, by calling their toll free number (888) 233-2305.

Which raises a second question for me: it’s one thing for lawyers to handle notifications to the states, but do patients want to get a breach notification letter from a law firm or from their doctor? Does getting notified by lawyers put patients off or do they find it reassuring? And does having a lawyer send a notification letter make lawsuits over the breach less or more likely?

Someone should try to research these questions, if they haven’t already. If any reader knows of such research already, please let me know.

Update: on Twitter, Glen Turpin reminded me that if the patient/customer doesn’t know the third party vendor that had a breach, getting a letter from them may not mean much. It’s a good point, and I’ll reframe my question as to whether consumers/patients prefer letters from the party they had the relationship with or from some party’s lawyers.  Maybe if it’s a third party breach involving a service provider that is not well known to the public, a letter from their lawyers may help convince the recipient it’s a legitimate breach notice.  But if your doctor or merchant had a breach, do you want the letter to come from them or their lawyers?

No related posts.

Category: Uncategorized

Post navigation

← EMC notifying some employees after vendor error disclosed their names and SSNs to unauthorized parties
Thermo Fisher Scientific notifies employees after laptop with their SSN is stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.