Iron Mountain employees suspected of stealing, selling old X-rays files for silver
Courtney Perkes reports:
Orthopaedic Specialty Institute Medical Group said that 742 boxes of X-rays of its patients went missing from an Iron Mountain Record Management storage facility in the Inland Empire. Police were called and the storage company concluded that two employees had melted down the X-rays to collect the silver.
The medical group said it’s unknown when the theft occurred but that the X-rays were 10 to 15 years old and may have contained patient names, birth dates and medical record numbers. The X-rays did not contain any financial information.
Read more on OCRegister.
A notice on the practice’s web site’s home page provides some additional details:
Orthopedic Specialty Institute Medical Group of Orange County in Orange, California wants to alert our patients that on June 17, 2014, we received notice from Iron Mountain Record Management—which is the company that serves as the custodian for many of our older medical records—that 742 boxes of X-ray jackets containing X-rays of our patients have turned up missing. After an internal investigation was conducted and a police report filed, Iron Mountain concluded that it was two employees who were likely responsible for taking X-rays, selling them to a recycler, which then melted them down to recover the silver they contain. The majority of the X-rays were ten years old, so any patients seen after that time are likely unaffected. The destroyed X-rays may have contained protected health information such as patients’ names, dates of birth, gender, treating physician, medical records numbers, as well as orthopedic imaging present on the X-ray. The stolen records included absolutely no financial information nor social security numbers.
There was no statement included from Iron Mountain. Although it appears that they discovered the theft through their internal checks, which is to their credit, what will they do going forward to prevent a similar problem in the future?
Update of 8-26-2014: This incident was added to HHS’s public breach tool with the CE’s report that it impacted 49,714 patients.