Poor handling of paper medical records at San Mateo (Calif.) Medical Center led to a data breach for 5,000 patients.
While frequent breaches affecting electronic protected health information have become the norm, there remains a lot of paper-based medical records that can be just as vulnerable and the following of HIPAA rules for mitigation of paper breaches are required just as they are for electronic breaches.
On November 6, an employee at the Daly City Clinic affiliated with the medical center left a box containing paper medical records under her desk before leaving work.
That night, temporary housekeeping staff mistook the box for recycling and put the papers in the recycling bin instead of the confidential bin for shredding. Consequently, the practice was unable to identify which patients had their health information recycled, and as a result, the breach affected all 5,000 of the organization’s patients.
Protected information included names, dates of birth, medical record numbers, gender, age, providers, dates of service, patient account numbers and insurance codes.
“We regret that this incident occurred and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight,” practice leaders told affected individuals in a notification letter. Patients also were given information on now to protect their medical information.
Following the incident, clinic site visits were conducted, and the clinic manager instructed that recycling bins no longer be used, with confidential information immediately placed in the shred bin.
San Mateo Medical Center did not respond to a request for additional information, including whether patients were offered credit or identity theft protection services.