John Henry of WBIR provides a follow-up on a breach previously noted on this blog where patient records were found in an abandoned building at Lakeshore Mental Health Institute.
A freedom of information request filed by the news outlet produced some interesting information, apart from documenting that the state moved promptly to address the breach once it was discovered:
May 1, Heather Gundersen, the assistant commissioner of administrative services with TDMHSAS, sent an email to the CEOs of other mental health institutes across the state.
It read, “CEOs: please make sure you don’t have any confidential records left in any unsecured, old buildings.”
Just two days later, a state employee reported that he found at least 20 boxes of records in the abandoned Roberts Hall building at the Clover Bottom Campus of the Middle Tennessee Mental Health Institute.
“They (the records) were left behind, they were left there,” Rabkin said.
The records dated back to the 1980s. Emails show the state reviewed them after their discovery to decide which ones to destroy.
Read more on The Tennessean. The breach involving the Middle Tennessee Mental Health Institute does not appear on HHS’s public-facing breach tool, although there are a number of possible explanations for that.
One of the take-home messages from this report should be “Seek and ye may find.” This might be a good time for all states to check abandoned buildings to ensure that patient records are not lying around exposed. We could even have a catchy name for the week in which this would occur like “Closed, Not Exposed.” Or whatever…