In the biggest HIPAA privacy breach of 2013 – and among the largest to date – Texas Health Harris Methodist Fort Worth is notifying some 277,000 patients that their protected health information has been compromised after several hospital microfilms, which were supposed to be destroyed, were found in various public locations.
Texas Health Fort Worth had contracted with Toronto-based Shred-it to destroy the confidential patient information, but the microfilms were not actually destroyed, as had been agreed upon in the contract, officials say. Instead, a local resident found a portion of the microfiche in a nearby park in May. Additionally, three other sheets of microfiche were found in two other public areas.
The records on the microfiche contained patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information and in some cases Social Security numbers.
According to a Texas Health website notice, Shred-it assured the hospital that the microfiche remaining in its possession was disposed of. When asked why the other microfiche sheets were not properly destroyed, Shred-it did not respond to Healthcare IT News for comment by publication time.
"One thing to note is that microfiche is no longer commonly used, and you have to have a specialized reader to see the information," wrote Wendell Watson, spokesperson for Texas Health Resources in an emailed statement. "You cannot just hold it up to the light and read it, for example. That is one reason we think it is unlikely that any information was accessed."
Watson says the microfiche was limited to Texas Health Fort Worth patients who were seen between 1980 and 1990. Patient notification letters were mailed out starting July 11.
[See also: Stanford reports fifth big HIPAA breach.]
"We deeply regret the inconvenience to you," reads a company notice. "To help prevent something like this from happening in the future, Texas Health Fort Worth and the entire Texas Health System has changed document destruction vendors."
This is the third big HIPAA breach for a Texas Health Resources hospital, according to data from the Department of Health and Human Services.