St. Mary’s Hospital Campus in Jefferson City notifies 301,000 of limited PHI left behind in a 2014 move
And this is why I always wait to close out monthly stats in healthcare. The following incident just showed up on HHS’s public breach tool today as having been reported to them on July 30, and affecting 301,000 patients. St. Mary’s Hospital’s notice, below, indicates that the entity was not sure of the number affected.
JEFFERSON CITY, MO – On June 1, 2018, SSM Health St. Mary’s Hospital – Jefferson City was notified that documents and other materials containing patient information were discovered in isolated locations at the former hospital campus, while it was being readied for demolition. Upon notification, SSM Health promptly secured the information and launched an immediate investigation.
St. Mary’s Hospital has confirmed that all formal medical records were safely and securely transferred prior to the move to the new facility on November 16, 2014. The type of information located at the old facility largely consisted of administrative and operational supporting documents for various departments. The documents included demographic, financial, and/or clinical data, but in most instances involved very limited information such as name or medical record number alone. A comprehensive review of the recovered information is underway, and the hospital has also retained a document services firm to assist in cataloging all recovered documents.
Although at all times security safeguards and deterrents were in place to protect the facility, the investigation has confirmed that the safeguards were not adequate to ensure the security of the patient information and other materials with absolute confidence between the date of the move until the date that the hospital was notified on June 1, 2018. For this reason, we are notifying affected individuals out of an abundance of caution. Given the age and type of information recovered, the hospital does not yet have a reliable estimate of the number of individuals impacted, however it’s actively working to identify every patient whose information has been recovered.
With the recovery of the patient information, SSM Health feels that this incident does not represent a significant risk to patients, however, it does constitute a privacy breach under Health Insurance Portability and Accountability Act (HIPAA). The Office for Civil Rights has been notified, and St. Mary’s is in the process of sending notification letters containing additional information to the impacted patients who can be identified and located.
The hospital is also reviewing and revising its policies and procedures regarding proper record storage, retention and destruction, as necessary. “We are taking immediate steps to resolve this situation and prevent something similar from ever happening again,” said Phil Gustafson, interim regional president of Operations, SSM Health of Mid-Missouri. “We take very seriously our role of safeguarding our patients’ personal information, and deeply regret any inconvenience or concern this situation may cause our patients.”
If patients have additional questions, they can call toll-free 1-888-648-8404 to get more information.
SOURCE: SSM Health St. Mary’s Hospital – Jefferson City