Pentucket Medical notifies employees and patients of data security incident

Speaking of confusing incident reports, Pentucket Medical in Massachusetts reported a somewhat confusing incident to the New Hampshire Attorney General’s Office. It seems that on January 18, four boxes of mainly physician/clinician records were removed from CubeSmart Storage Facility by another client of the facility. Why that client might knowingly remove those cartons, and how that client was even able to access Pentucket’s storage boxes is not totally clear from the notification.

In any event, the incident was caught on surveillance video and the individual, contacted by the facility and the police, “returned intact” the boxes on February 21 to the Haverhill Police Department, who returned them to Pentucket. That, it seems, is when Pentucket first learned of the incident. When the storage facility first learned of the theft/removal was not made clear, nor whether the storage facility directly notified Pentucket of the situation when it learned of it.

In response to the incident, Pentucket took a number of steps, including implementing more oversight of transportation, placement, and retention of records stored off-site.

Employee information in the files included and last names, addresses, employment contracts, Social Security numbers and compensation information. Information on an unspecified number of patients included their names, Social Security numbers, and health insurance information.

Although Pentucket’s submission to the New Hampshire Attorney General included a copy of notification to employees, it did not contain a copy of their notification to patients, and depending on the number affected, we may not see this one on HHS’s breach tool.

Correction: The link to the notification was corrected post-publication. Thanks to the alert reader who caught that error.

About the author: Dissent