Missouri medical group reports possible data breach

By Erin McCann
10:30 AM

Officials at Litton & Giddings Radiological Associates (LGRA) announced Wednesday a potential breach of the Health Insurance Portability and Accountability Act (HIPAA), which may have compromised the personal health information of some 13,000 patients.

According to a company press release, the mistake occurred due to a miscommunication between its billing company and janitorial provider. On July 31 and Aug. 2, 2012, the janitorial services provider at its billing company inadvertently sent patients' paper billing records to a Springfield recycling center without first shredding the records. Officials say there is no indication that any patient information has been misused.

According to an Oct. 5 letter mailed to potentially affected patients, the paper documents that were improperly disposed may have included patient names, addresses, dates of birth, diagnosis codes and/or Social Security numbers.

[See also: Infographic: Healthcare data breaches by state.]

Officials are uncertain which patient files and the exact number of patient files were sent to the recyling center. Thus, the letter notifying patients that their information may not have been properly shredded was mailed to the some 13,000 patients who had any billing activity between July 23 and Aug. 2, 2012. PST Services, Inc., the company that handles LGRA's billing records, was able to identify the specific dates when records were not properly destroyed by reviewing internal security cameras.

"LGRA takes the privacy of our patients very seriously and has notified potentially affected patients out of an abundance of caution," said Jay Smith, business manager for LGRA. "The billing company has ensured us that its landlord and vendors are aware of the procedures for the destruction of patient records."

Officials say PST Services is committed to patient record confidentiality and requires the shredding and destruction of records. However, on Aug. 10, 2012, LGRA learned that a building janitor mistakenly removed documents from the locked shred bin and placed them in a different secured container with other recyclable materials. This locked container was transported to a recycling center where the items were sorted for recycling and, ultimately, completely destroyed. The recycling process is largely mechanized, but recycling facility employees do, at times, manually sort the materials.

[See also: Top 5: Data breach winners and losers by state.]

LGRA is a 19-member radiology practice with seven locations across Missouri.

The Breach Notification Rule included in the Aug. 2009 HITECH Act requires HIPAA-covered entities and their business associates to give notification following a data breach involving patient health information of 500 or more individuals. To date, some 498 healthcare data breaches have been reported to the Department of Health and Human Services and have involved the personal health information of more than 20 million individuals.