Eureka Internal Medicine in Eureka, California notified patients of a HIPAA breach that was discovered in October 2013.
According to a notification from their lawyers:
From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged. As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding. We have no way of knowing if any of your personal health information was included in the special recycle bins during the time they were emptied in the regular trash. Information that may have been in the recycle bins includes:
- Full Name,
- Social Security Number,
- Insurance plan information, and
- Medical information.
You can read the full letter on the California Attorney General’s website (pdf).
It is not clear to me why this notice was just sent now to the California Attorney General’s Office. Are they first notifying patients five months after discovery of the breach, or did they simply forget to notify the state but notified patients month ago? The metadata on the undated template of the notification letter indicates it was created in October 2013.
An undated notice on EIM’s website linked prominently from their homepage, says:
Eureka Internal Medicine assures its patients that the security, confidentiality, integrity and privacy of patient personal information are of the utmost importance. Unfortunately, a potential breach of patient information was recently discovered by Eureka Internal Medicine.
From about September 25, 2013, until about October 9, 2013, when it was discovered, a janitorial service for Eureka Internal Medicine, was mixing paper recycling containing patient information with the regular trash at night, instead of moving it to the locked shredding bin, where it belonged, as was Eureka Internal Medicine’s long standing practice. As a result, the paper containing patient information was thrown out with the regular trash, which was picked up and handled by the waste management company in the usual manner, instead of locked in a shred bin until picked up for secure shredding. Information that may have been in the recycle bins that were improperly handled included full patient names, social security numbers, insurance plan information and some medical information.
We believe there is a very low likelihood that any of this information was obtained by outside people, however, we have sent a breach notification to each of our patients.
Please direct any inquiries to our attorneys, Schuering Zimmerman & Doyle, LLP, by calling their toll free number (888) 233-2305.
Which raises a second question for me: it’s one thing for lawyers to handle notifications to the states, but do patients want to get a breach notification letter from a law firm or from their doctor? Does getting notified by lawyers put patients off or do they find it reassuring? And does having a lawyer send a notification letter make lawsuits over the breach less or more likely?
Someone should try to research these questions, if they haven’t already. If any reader knows of such research already, please let me know.
Update: on Twitter, Glen Turpin reminded me that if the patient/customer doesn’t know the third party vendor that had a breach, getting a letter from them may not mean much. It’s a good point, and I’ll reframe my question as to whether consumers/patients prefer letters from the party they had the relationship with or from some party’s lawyers. Maybe if it’s a third party breach involving a service provider that is not well known to the public, a letter from their lawyers may help convince the recipient it’s a legitimate breach notice. But if your doctor or merchant had a breach, do you want the letter to come from them or their lawyers?