Boulder Community Health investigating patient records allegedly acquired from unlocked bins or dumpsters

Alex Burness reports on a situation that should concern patients:

At least nine Boulder Community Health patients have had copies of their personal medical records stolen either from inside or nearby the hospital’s Foothills campus, then mailed to them by an anonymous source.

It’s the third such breach the hospital has investigated since 2008.

In addition to their own patient information, at least two of the victims received a letter stating that the regional health provider — known as Boulder Community Hospital until an April 22 name change — is “still leaving medical records exposed” at many of its 18 locations in Boulder and Broomfield counties.

[…]

Though only nine victims have been identified, there may be many more. The first names, last name initials, and birth months and years of 334 people are printed on the other side of the letter.

Under that list is the address and contact information of Denver’s Office of Civil Rights, which handles regional Health Insurance Portability and Accountability Act (HIPAA) complaints.

Read more on Daily Camera.

It seems clear someone is either trying to blow the whistle on BCH’s inadequate data protection for PHI or is out to hurt BCH – or both. According to Burness, the letter’s author suggested that patient information can be easily stolen from bins outside of BCH’s Foothills campus.

Past Incidents

As reported previously on this blog, in September, 2008, the Daily Camera reported:

Paperwork containing the names, birth dates, Social Security numbers and other personal information of more than 200 patients at Boulder Community Hospital have been stolen, according to Boulder police.

Police spokeswoman Sarah Huntley said the forms taken were copies of patient-intake forms of 207 people who visited the Occupational Health and Therapy Services Department from Aug. 12-19.

In March 2010,  ABC News reported that at least 14 patients at Family Medical Associates – a clinic owned by Boulder Community Health (then-called Boulder Community Hospital) had received anonymous letters warning that their medical records are not being disposed of properly and were being left in unlocked bins:

The letters state that the forms were found outside in unsecured locations and they include pictures of a row of recycle bins.

To prove it, whoever wrote the letters attached private medical forms that included names, social security numbers and dates of birth.

According to Burness, 79 BCH patients were identified as affected by that incident.

While no reports of identity theft were reported in connection with the 2010 incident, cases of ID theft were reported for a third incident that was disclosed in June 2011.  As also noted previously on this blog, 9News reported that a contract nurse was accused of illegally accessing patient files of patients seen at Boulder Community Hospital and other Colorado facilities, and in some cases using Social Security numbers and other information to open credit cards in patients’ names. The nurse was subsequently charged with identity theft and theft of medical records.

Enter HHS, Stage Left?

The current incident is remarkably similar to the 2010 incident in terms of claims that BCH is not adequately securing patient records slated for disposal.  Given that this is the second report of its kind involving allegedly unlocked bins, I expect that OCR will investigate this fully and may require a corrective action plan. Because the 2010 incident and this incident seem to each involve less than 500 patients, we will not see these incidents reported in HHS’s public breach tool. Local news media in Colorado may need to file under Freedom of Information to find out what, if anything, HHS did as a result of the 2010 report.

Whether HHS imposes a monetary penalty for what may be a repeat or second offense is anyone’s guess, and whether law enforcement identifies the anonymous tipster and that person faces any criminal charges remains to be seen.  Could FTC investigate, too? Given their analysis of their authority, I think they could, but I don’t know how likely it is for this case. Certainly HHS and the FTC have both investigated and taken action in other cases involving the security and disposal of paper records with PHI (cf, the CVS and Rite Aid cases). This case seems to be much smaller in terms of number of patients affected, but certainly no less serious.

It is a bit of a mystery as to who the anonymous tipster might be. If it’s an employee trying to blow the whistle on sloppy PHI security, then there are other ways to accomplish this. And if it’s not an employee trying to blow the whistle, then it’s curious that the person didn’t just take some evidence and contact the media and file a complaint with HHS.  In any event, I hope the person behind this is adequately protecting any patient records they suggest were removed from the bins and will consider securely shredding them.

About the author: Dissent