DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Boulder Community Health investigating patient records allegedly acquired from unlocked bins or dumpsters

Posted on May 8, 2014 by Dissent

Alex Burness reports on a situation that should concern patients:

At least nine Boulder Community Health patients have had copies of their personal medical records stolen either from inside or nearby the hospital’s Foothills campus, then mailed to them by an anonymous source.

It’s the third such breach the hospital has investigated since 2008.

In addition to their own patient information, at least two of the victims received a letter stating that the regional health provider — known as Boulder Community Hospital until an April 22 name change — is “still leaving medical records exposed” at many of its 18 locations in Boulder and Broomfield counties.

[…]

Though only nine victims have been identified, there may be many more. The first names, last name initials, and birth months and years of 334 people are printed on the other side of the letter.

Under that list is the address and contact information of Denver’s Office of Civil Rights, which handles regional Health Insurance Portability and Accountability Act (HIPAA) complaints.

Read more on Daily Camera.

It seems clear someone is either trying to blow the whistle on BCH’s inadequate data protection for PHI or is out to hurt BCH – or both. According to Burness, the letter’s author suggested that patient information can be easily stolen from bins outside of BCH’s Foothills campus.

Past Incidents

As reported previously on this blog, in September, 2008, the Daily Camera reported:

Paperwork containing the names, birth dates, Social Security numbers and other personal information of more than 200 patients at Boulder Community Hospital have been stolen, according to Boulder police.

Police spokeswoman Sarah Huntley said the forms taken were copies of patient-intake forms of 207 people who visited the Occupational Health and Therapy Services Department from Aug. 12-19.

In March 2010,  ABC News reported that at least 14 patients at Family Medical Associates – a clinic owned by Boulder Community Health (then-called Boulder Community Hospital) had received anonymous letters warning that their medical records are not being disposed of properly and were being left in unlocked bins:

The letters state that the forms were found outside in unsecured locations and they include pictures of a row of recycle bins.

To prove it, whoever wrote the letters attached private medical forms that included names, social security numbers and dates of birth.

According to Burness, 79 BCH patients were identified as affected by that incident.

While no reports of identity theft were reported in connection with the 2010 incident, cases of ID theft were reported for a third incident that was disclosed in June 2011.  As also noted previously on this blog, 9News reported that a contract nurse was accused of illegally accessing patient files of patients seen at Boulder Community Hospital and other Colorado facilities, and in some cases using Social Security numbers and other information to open credit cards in patients’ names. The nurse was subsequently charged with identity theft and theft of medical records.

Enter HHS, Stage Left?

The current incident is remarkably similar to the 2010 incident in terms of claims that BCH is not adequately securing patient records slated for disposal.  Given that this is the second report of its kind involving allegedly unlocked bins, I expect that OCR will investigate this fully and may require a corrective action plan. Because the 2010 incident and this incident seem to each involve less than 500 patients, we will not see these incidents reported in HHS’s public breach tool. Local news media in Colorado may need to file under Freedom of Information to find out what, if anything, HHS did as a result of the 2010 report.

Whether HHS imposes a monetary penalty for what may be a repeat or second offense is anyone’s guess, and whether law enforcement identifies the anonymous tipster and that person faces any criminal charges remains to be seen.  Could FTC investigate, too? Given their analysis of their authority, I think they could, but I don’t know how likely it is for this case. Certainly HHS and the FTC have both investigated and taken action in other cases involving the security and disposal of paper records with PHI (cf, the CVS and Rite Aid cases). This case seems to be much smaller in terms of number of patients affected, but certainly no less serious.

It is a bit of a mystery as to who the anonymous tipster might be. If it’s an employee trying to blow the whistle on sloppy PHI security, then there are other ways to accomplish this. And if it’s not an employee trying to blow the whistle, then it’s curious that the person didn’t just take some evidence and contact the media and file a complaint with HHS.  In any event, I hope the person behind this is adequately protecting any patient records they suggest were removed from the bins and will consider securely shredding them.

Category: Health Data

Post navigation

← 2005 called and they want their reassurances back
Non-profits Expose Personal Info, Hundreds of Thousands at Risk for Identity Theft →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.