On May 10, I had noted a breach involving Los Robles Hospital and Medical Center in Thousand Oaks, California. HHS’s public breach tool had indicated that an incident involving their business associate, Courier Express, had resulted in the notification of 2,523 patients.
A hospital spokesperson kindly called me to respond to the e-mail inquiry I had sent asking for more details of the breach.
The short version of the incident is that when cartons of patient records were shipped to a Las Vegas scanning center for digitizing to comply with federal requirements for EMR, some of the cartons arrived at the Las Vegas location unsealed, and inspection of the cartons revealed that 133 patient charts were missing.
Because Los Robles had no way of knowing whether the other records in the unsealed cartons had been viewed or copied, they notified 2,523 patients in total (including the 133 whose records are suspected to have been stolen and not just lost).
Los Robles was first notified of the problem on March 6.
Patients were offered free credit-monitoring services with TransUnion. As of last night, the missing 133 charts had not been recovered, but Los Robles had no reports of any identity theft or misuse of the information.
Los Robles notified the state within 5 days after being notified of the problem, and also reported the incident to the Sheriff’s Department in Thousand Oaks. The sheriff’s investigation is reportedly ongoing, but the hospital spokesperson states that the Sheriff learned that Courier Express had recently hired some new drivers shortly before the incident.
Ironically, the paper records likely never would have been shipped and put at risk of loss or theft while in the custody of a courier if the federal government wasn’t requiring hospitals to convert paper records to EMR.
Great thanks to Los Robles Hospital for its transparency in sharing information about this incident. I wish more entities were as forthcoming.