I know the arguments against holding covered entities for auditing and monitoring their business associates periodically for compliance with any contracts, but when you don’t hold covered entities really accountable for checking that their vendors or business associates are living up to their contracts, stuff like this happens. And it can go on for years.
On May 28, St. Joseph Health System notified its patients of a data security incident involving Central Files, Inc:
Central Files, Inc. (“Central Files”) was entrusted to provide secure record storage and destruction, during the respective time periods below, for the following South Bend-area entities (the “South Bend Entities”) which publish this notice:
– Saint Joseph Health System (1999-2013)
– Allied Physicians of Michiana (1995-2007)
– New Avenues (June 2004-December 2015)
– South Bend Medical Foundation (2009-2015)
– Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (2002-2010)
– Michiana Hematology Oncology (2002-2004)
– Cardiology Associates, Inc. (“CAI”) (March 1, 2007-November 30, 2013). CAI and its records were acquired by Beacon Health System in December 2013 and CAI was subsequently dissolved
The records entrusted to Central Files included sensitive and legally-protected information about these organizations’ patients, clients, and/or employees. Central Files was paid to destroy certain records, and was supposed to securely store the remaining records until transfer to a subsequent records storage company.
Between April 1 and April 9, 2020, the South Bend Entities were alerted that confidential documents which had been entrusted to Central Files for secure storage and destruction were discovered improperly dumped in an unsecure South Bend-area location sometime before April 1, 2020 and several more times until May 15, 2020.
So this wasn’t a one-off, it seems. But when did it start? In 1995? In 2019? This year? Did any of the entities ever go on site at Central Files to observe the secure storage they were paying for? I’m not shaming them if they didn’t, because I’ve never been on-site at the firm that provides secure storage for my patient records. And while I observe secure shredding of some records, there are times when the firm shreds them there and sends me a certification that they were securely shredded. But do I really know for sure that happened? If I’m honest, then no, I don’t really know for sure.
Update/Note: As Patrick points out in Comments, Central Files Inc. was sold in 2015. So who took responsibility for the transfer or the records and/or the disposal of the records then and since then?notice-of-improper-disposal-of-records-incident-for-website-posting-052820