CEO SUMMARY: Pathologists at four Massachusetts hospitals got a powerful reminder recently that a breach of protected health information (PHI) can occur at any time for the most unexpected reason. Earlier this month, the Boston Globe reported that the pathology reports and patient information for tens of thousands of individuals had been found unshredded and left at a public dump. The news caused the four hospitals and their pathology groups to scramble to stay ahead of events.
IN MASSACHUSETTS, A MAJOR BREACH of patient privacy involving tens of thousands of pathology reports and billing records has suddenly thrust four hospitals and their pathology groups into the media spotlight.
The episode is a timely warning to all pathology groups and clinical laboratories about the consequences from a breach in patient privacy that involves “protected health information” (PHI), as defined in the recent HITECH legislation. (See TDR, March 29, 2010.)
Disclose Breach of PHI
One of the requirements mandated by the HITECH bill is that, in the event of a breach of PHI, the provider must take certain steps. These steps can include notification of the local, regional, and even national media with news of the breach, along with details to inform patients whose PHI may have been involved in the breach.
In this case, it was a media outlet, the Boston Globe, which discovered the patient privacy breach on July 26. It alerted the hospitals it believed were responsible for the patient records found at the public dump site. The Boston Globe then published its story about the incident on August 13, 2010.
Identified in the press stories about the breach of patients’ protected health information were the following hospitals and pathology groups:
• In Holyoke: Holyoke Medical Center (159 beds) in Holyoke; Pioneer Valley Pathology Associates, P.C.
• In Dorchester: Caritas Carney Hospital (159 beds), independent pathology group.
• In Milford: Milford Regional Medical Center (121 beds); Milford Pathology Associates.
• In Milton: Milton Hospital (81 beds); Milton Pathologists, Inc.
The story starts on July 26, when a photographer for the Boston Globe visited the public dump transfer station in Georgetown, Massachusetts. While there on personal business, he saw a “huge pile of paper 20 foot wide by 20 foot long.” Curious as to why such a large volume of paper was not being recycled, he walked over to the pile. Upon closer inspection, he determined that the paper was made up of unshredded records that included “pathology reports with patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages.”
Hospitals Were Contacted
He took samples of the reports back to the Boston Globe. After contacting the four hospitals, the Globe printed a story about the incident on August 13. News of the privacy breach attracted widespread attention throughout Massachusetts.
It was quickly determined that the company that did private contract billing for the pathology groups at the four hospitals was responsible for sending the unshredded paper patient records to the Georgetown public dump. Named in press accounts was Goldthwait Associates of Marblehead, Massachusetts.
The Boston Globe reported that “Goldthwait was purchased around June 1. The new owner’s lawyer, Anthony Turco, said the new owner took records only from 2010, and any older records would have been disposed of by the former owner, Joseph Gagnon.” When contacted by the Globe, Gagnon declined to comment.
Pathology Billing Company
Pathologists using Goldthwait’s pathology billing services were surprised to learn of the improper disposal of the patient records. For example, pathologist John Blanchette, M.D., who works at Holyoke Medical Center, told the Globe reporter that his pathology group “had an understanding that they [Goldthwait] know how to dispose of medical records. We’ve done business with this company for 22 years and we’re pretty upset about this. Everything as far as we knew was fine.’’
The number of patients whose records may have been compromised is significant. At Holyoke Medical Center, officials estimate that the number of their patients is between 16,000 and 24,000. Milton Hospital officials state that their estimate is that 8,000 to 12,000 patients were involved in the privacy breach. It is believed that the records primarily cover the years 2007 through 2009.
For pathologists and clinical laboratory managers, there are several important insights and lessons to be drawn from this particular breach of patient privacy now unfolding in Massachusetts.
First, it is essential to conduct an internal review of existing policies, procedures, and operating practices that involve the collection, use, storage, and disposition of confidential information about patients.
The design and execution of this review is best done utilizing the input of an attorney or other expert in the field of patient privacy. Changes instituted by the HITECH Act are significant and labs should not take a “do it yourself ” approach to assessing their current policies and work procedures to identify gaps or vulnerabilities that make a breach of protected health information (PHI) possible.
Second, informed by the findings of this assessment, the clinical laboratory or pathology group should take steps to address the deficiencies identified.
The third step is to update all company policies, handbooks, and operating procedures. This documents how the laboratory has proactively worked to protect the PHI to which it has access and handles.
Train The Lab Staff About PHI
Fourth, all employees should undergo training on the current standards and requirements for securing PHI. Not only does this mean that the lab staff will be up-to-date on the latest requirements of the HITECH Act, but is also documentation that laboratory management was proactive in establishing policies and training staff to properly handle PHI.
The fifth step is to develop the crisis response plan and designate a team to step up and handle the issues involved should a breach of PHI occur. The discovery of unshredded paper pathology reports and patient records at a public dump illustrates how suddenly a laboratory or pathology group could find itself facing television and newspaper reporters.
Pathologists and clinical laboratory managers may also find it useful to visit the web sites of the four hospitals involved in this PHI breach. In this context, the current episode provides a case study of how other providers are interpreting the requirements of the HITECH Act.
Each hospital has posted a public notice that can be reached from the home page. Typically, the statements posted provide specific details on the how the PHI was breached and why there is the possibility that a patient’s confidential informa- tion may have been compromised.
These hospital statements notify patients that they may want to take certain actions. These actions include putting a security freeze and/or a fraud alert on their credit reports, asking for a copy of their credit report, and how to file a complaint with the Federal Trade Commission.
Since the new provisions of the HITECH Act took place, this is one of the first public disclosures of a major PHI breach that involves pathology or clinical laboratory organizations. Thus, it is a timely warning and alert to senior laboratory leaders about the importance of being prepared to address a breach of protected health information.
In Massachusetts, four pathology groups are dealing with the consequences of a privacy breach that may involve 35,000 to 40,000 patients. A timely internal review and assessment of how PHI was handled and protected would have been simple insurance to help prevent a breach of this nature from happening.
800,000 Patient Records Breached at MA Hospital
PATHOLOGY RECORDS are not the only source of a patient privacy breach in Massachusetts. On July 20, news sources reported that South Shore Hospital in Weymouth had acknowledged that 800,000 patient files were missing.
South Shore Hospital CEO Richard Aubut stated that a vendor serving the hospital could not account for back-up data files containing information on 800,000 patients, physicians, employees volunteers, donors, vendors, and other business partners. The records covered a period between January 1, 1996 through January 6, 2010.
The hospital, in a statement on its web site, wrote that “South Shore Hospital’s back-up computer files were shipped for offsite destruction on February 26, 2010. When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010, that only a portion of the shipped back-up computer files had been received and destroyed.”
Aubut says that the hospital will write a letter to each individual affected by this privacy breach. It has posted a sample of the letter on its web site. The hospital noted that it had no evidence that information on the back-up computer files was improperly accessed. However, it recommends a credit report for any individual whose information may have been compromised. The hospital has also stopped the off-site destruction of its computer files.
Because media notification may be a necessary step for certain types of privacy breaches involving the “protected health information” (PHI) of patients, there will be a larger number of public disclosures as these events occur.