I know the arguments against holding covered entities for auditing and monitoring their business associates periodically for compliance with any contracts, but when you don’t hold covered entities really accountable for checking that their vendors or business associates are living up to their contracts, stuff like this happens. And it can go on for years.
On May 28, St. Joseph Health System notified its patients of a data security incident involving Central Files, Inc:
Central Files, Inc. (“Central Files”) was entrusted to provide secure record storage and destruction, during the respective time periods below, for the following South Bend-area entities (the “South Bend Entities”) which publish this notice:
– Saint Joseph Health System (1999-2013)
– Allied Physicians of Michiana (1995-2007)
– New Avenues (June 2004-December 2015)
– South Bend Medical Foundation (2009-2015)
– Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (2002-2010)
– Michiana Hematology Oncology (2002-2004)
– Cardiology Associates, Inc. (“CAI”) (March 1, 2007-November 30, 2013). CAI and its records were acquired by Beacon Health System in December 2013 and CAI was subsequently dissolvedThe records entrusted to Central Files included sensitive and legally-protected information about these organizations’ patients, clients, and/or employees. Central Files was paid to destroy certain records, and was supposed to securely store the remaining records until transfer to a subsequent records storage company.
Between April 1 and April 9, 2020, the South Bend Entities were alerted that confidential documents which had been entrusted to Central Files for secure storage and destruction were discovered improperly dumped in an unsecure South Bend-area location sometime before April 1, 2020 and several more times until May 15, 2020.
So this wasn’t a one-off, it seems. But when did it start? In 1995? In 2019? This year? Did any of the entities ever go on site at Central Files to observe the secure storage they were paying for? I’m not shaming them if they didn’t, because I’ve never been on-site at the firm that provides secure storage for my patient records. And while I observe secure shredding of some records, there are times when the firm shreds them there and sends me a certification that they were securely shredded. But do I really know for sure that happened? If I’m honest, then no, I don’t really know for sure.
h/t, Becker’s Hospital Review.
Update/Note: As Patrick points out in Comments, Central Files Inc. was sold in 2015. So who took responsibility for the transfer or the records and/or the disposal of the records then and since then?
This is strange. Central Files was acquired by another company in 2015. It doesn’t exist and hasn’t existed in five years. https://www.insideindianabusiness.com/story/30443127/major-records-storage-company-adds-south-bend-business
It strikes me that these records were either not included in the acquisition for some reason (possibly because they we supposed to be destroyed) or the acquiring company missed a facility. I suspect that the storage location was abandoned and no one was in the building until it was scheduled for demolition or re-occupancy.
That said, whoever was responsible for records at St. Joseph Health System has some explaining to do.
Right. If you look at the dates in the notification, for each entity it shows that Central File’s arrangement/involvement ended in 2015. But what did Central Files tell its clients back in 2015, or what arrangements were made, and what did the covered entities require or do?
And why, when you look up James Linder on LinkedIn, does it show he currently lists himself as CEO of Central Files, Inc., a position he has held since May, 1986?
There’s a lot of explaining that needs to happen…. and I’ll be curious to see what, if anything, OCR does.