LABS PUT SO MUCH EFFORT INTO SECURING electronic health records, that it’s easy to overlook the need to protect paper records. St. Joseph’s Medical Center in Stockton, California, learned this lesson the hard way recently when thieves stole more than 700 paper records from one of the hospital’s 23 patient service centers (PSC).
The theft showed that paper records and PSCs can be difficult to secure, stated Teresa Bryant, the lab’s Administrative Director, who added that “many of the hospital’s PSCs are in rented facilities where the landlord is responsible for maintaining security.” She stated that, when a window at one PSC was locked— but unmonitored by the security system— thieves broke in and stole three boxes of patient records.
St. Joseph’s Medical Center is a 350-bed hospital that is part of Dignity Health (formerly Catholic Healthcare West-CHW). Its laboratory does reference testing for the entire DignityHealth organization and processes 2,000 requisitions per day.
The theft took place in March and the hospital staff notified each affected patient by mail and posted information on the hospital’s web site. “On February 2, 2012, we discovered that a storeroom window had been broken at the HealthCare Clinical Laboratory (HCCL) Patient Service Center located at 89 W. March Lane, Stockton, and that two storage boxes containing HCCL lab requisition forms were missing from the center,” the hospital said in its notice to patients.
“We were able to determine that the missing lab requisition forms related to certain laboratory services provided between December 13, 2011, and January 5, 2012, and between January 17, 2012, and January 31, 2012.
During our ongoing investigation, on March 16, 2012, we discovered that an additional box of requisition forms was also missing related to services provided between October 24, 2011, and November 18, 2011,” the statement continued. The hospital recommended that patients check their credit ratings and offered free enrollment in a credit monitoring service.
“Since then we moved all the boxes and rechecked all PSCs to ensure they are secure,” Bryant said.
The breach was a violation under the Health Insurance Portability and Affordability Act (HIPPA), requiring the hospital to notify patients and federal and state officials and post an explanation on its website, Bryant added.
Bryant explained that the staff scanned all test requisition forms each day and then stored the paper records onsite in boxes by date of service. “Because we knew which dates were stored in which boxes, we pulled the list of all patients seen on those days and contacted them all,” she said. “The problem was that the records included Social Security numbers, insurance policy numbers, dates of birth, addresses, guarantors’ names, and patients’ names.” Bryant believes the thieves may have used the information to apply for credit cards under the patients’ names.
THE DARK REPORT observes that lab directors should recheck the security at all locations, including rented and leased space, and do not overlook paper records.