Mercy Health Love County Hospital and Clinic in Oklahoma appears to be having a rough year with breaches and notifications. As previously reported on this site, last summer they had an incident involving medical records being stolen for identity theft. They disclosed that incident in July, and in September, 2017, they reported it to HHS. Then on December 5, they issued a supplement, which was also reported on this site.
But that wasn’t the end of their breach woes, it seems. On February 26, they issued yet another breach notification. This one related to a discovery on December 27 that they could not account for some old desktop computers that should have been destroyed. As they note, it is possible that the computers were destroyed but that they documentation either didn’t get done properly or was misplaced, but because there had been that other incident over the summer, it was also possible that maybe some desktops had been stolen during the break-in to steal medical records.
So Mercy Health has sent out notifications to patients, noting that they really don’t even know if any protected health information was even on the unaccounted-for desktops.
I can’t imagine that HHS will be too happy about this one. You don’t know whether your computers were destroyed or stolen, and you don’t know what was on the computers? I would not want to be trying to spin this one for HHS.
You can read the hospital’s February 26th notification template here (pdf). An abbreviated version identifying both the summer and December incidents can be found on their web site, here.