In addition to the more than 49,000 patients of Orthopaedic Specialty Institute Medical Group whose records were allegedly stolen by employees of Iron Mountain and the 10,000 patients of the Long Beach Internal Medical Group whose records were stolen, PHIprivacy.net has uncovered a third victim.
The Hand Care Center / Shoulder and Elbow Institute in Orange, California also reports receiving notification from Iron Mountain about the problem. In a notice on their home page, they write:
The Hand Care Center wants to alert our patients that on June 17, 2014, we received notice from Iron Mountain Record Management—which is the company that serves as the custodian for many of our older medical records—that 25 boxes of X-ray jackets containing X-rays taken of our patients prior to 2002 have turned up missing. After an internal investigation was conducted and a police report filed, Iron Mountain concluded that it was two employees who were likely responsible for taking X-rays, selling them to a recycler, which then melted them down to recover the silver they contain. The majority of the X-rays were ten years old, so any patients seen after that time are likely unaffected. The destroyed X-rays may have contained protected health information such as patients’ names, dates of birth, gender, treating physician, medical records numbers, as well as orthopedic imaging present on the X-ray. The stolen records included absolutely no financial information. Any patients that had X-rays taken after 2002 are unlikely to be affected by this breach. If you have any questions, please contact 1-877-615-3762.
PHIprivacy.net has emailed The Hand Center to inquire how many of their patients were notified of the theft and will update this entry as more information becomes available. As of the date of this posting, the incident has not appeared on HHS’s public breach tool.