The Pierce County Herald reports:
River Falls Medical Clinic says it has notified about 2,400 clients of a breach of unsecured personal information.
The breach occurred after clinic officials reported stolen equipment to the River Falls Police in the summer of 2012.
Police investigated and found the stolen equipment, as well as paper documents containing patient-identifying information in the suspect’s home on Nov. 28.
[…]
Eckes allegedly took paper documents from medical clinic bins that stored documents intended to be shredded.
These documents contained personal information, such as the patient’s first and last name, date of birth, certain patient account/billing account information such as diagnosis codes, scheduling information, insurance information, account numbers and medical chart numbers.
Some documents also contained patient Social Security Numbers, home addresses and phone numbers.
All these records were returned to the clinic.
According to clinic administrator Jon Pedersen, clinic officials have concluded that the overall risk of harm to patients is low. Out of caution, affected patients were still contacted by letter.
Read more on Pierce County Herald.
The report raises a number of questions:
1. When did the clinic first learn that the records had been stolen? In November when the police returned them or at the time of the theft?
2. When and why did the clinic make the determination that the risk of harm was low? Did they investigate to determine whether any of the info had been used between the summer of 2012 and November when the records were returned?
3. When were patients notified of this incident? And if they were only recently notified, why the delay between discovery of the breach and notification?