CA: 33,000 patient records sold for the value of the paper
I saw this press release on the breach I mentioned yesterday on PHIprivacy.net where a janitor allegedly sold 14 boxes of patient records to a recycler for the value of the paper although I cannot find a copy of this press release on either the DHS web site or the LASD web site:
The Los Angeles County Department of Health Services (DHS) and the Los Angeles County Sheriff’s Department (LASD) announces a privacy breach comprising more than 33,000 patient records housed at the Martin Luther King, Jr. Multi-Service Ambulatory Care Center (MLK MACC) in South Los Angeles, and the arrest of a suspect charged with one count of felony commercial burglary.
The MLK-MACC discovered the files missing on July 29, 2010, and immediately launched a search of the MLK-MACC campus for the files, and commenced an investigation. The files were stored in a secured and locked location at the facility. The investigation included interviews of employees who had access to the location, including custodians who may have mistakenly sent the files for destruction. One such employee confessed that he had personally taken the files to a recycling company for its paper value. At that time, MLK-MACC referred the matter to the Sheriff who conducted a law enforcement investigation.
The boxes contained the following demographic information: name, address, date of birth, medical record number, finance batch number, and gender of patients who received care at the outpatient facility from January through October, 2008. No specific medical, financial, or social security information was included on the documents.
In the Sheriff’s investigation, the suspect admitted to the theft of records for the sole purpose of recycling the content of the boxes for monetary gain. There is no indication that the information was stolen for the purpose of identity theft.
Based on mandatory privacy statutes, individuals impacted by the breach will be notified by the facility by First Class Mail the week of September 20, 2010. The notification will include detailed information on steps impacted individuals should take to protect themselves from potential harm. In response to the incident, the department has implemented enhanced security measures and will be conducting patient privacy retraining.
“We take patient privacy in this department very seriously,” said DHS chief of operations Carol Meyer. “Despite measures previously employed by our facilities to secure protected information, this unforeseen event occurred. In the wake of this unfortunate incident, we are redoubling our security measures to ensure the safety and integrity of patient information.”
To address the concerns of those potentially impacted by the breach, DHS will post additional information, including the detailed steps that individuals can take to protect themselves from any potential harm resulting from this breach, on its website at www.ladhs.org/wps/portal/KingHomepage on September 21. Individuals can also call 877-418-6381 toll-free after September 21 to see if they have been impacted.