4 Mass. Hospitals Investigating BreachesThousands of Paper Documents Found at Dump
A photographer for the Boston Globe newspaper discovered the records at the public dump in Georgetown, Mass., on July 26 when he was dumping his trash. The newspaper reports that the photographer discovered a pile of pathology reports about 20 feet wide by 20 feet long.
The pathology practices involved serve patients at Carney Hospital in Dorchester, Mass; Holyoke Medical Center in Holyoke, Mass; Milford Regional Medical Center in Milford, Mass.; and Milton Hospital in Milton, Mass. All the hospitals have posted statements about the incident on their Web sites.
The pathology records, dating from 2007 through 2010, include such information as names, addresses, dates of birth, Social Security numbers, insurance information and, in some cases, diagnoses related to pathology tests, according to statements on three of the hospital sites. The records did not include financial or credit card information.
Goldthwaite Associates, which provides billing services for the pathology practices that serve the hospitals, dumped the records at the transfer station, according to statements from two of the hospitals. "We have been assured by the Georgetown Transfer Station that the documents were transferred to a waste station in Maine to be pulverized and recycled," the statement from Holyoke Medical Center says. "At this time, we are unaware of how many documents are still in the possession of the Boston Globe."
The Carney Hospital statement notes: "We believe the records were sent to the landfill during a purge of old billing records at the billing company. At this time, we believe that the billing company did not regularly dispose of their records in this landfill and that this is an isolated incident."
Holyoke estimates between 16,000 and 24,000 patients may be affected by the breach. Milton Hospital estimates more than 8,000 to 12,000 of its patients were affected. The other hospitals did not provide estimates.
The hospitals are continuing their investigations of the breaches and will notify patients involved as required under the HITECH Act breach notification rule. As of Aug. 17, the incidents had not yet been posted to the Health and Human Services' Office for Civil Rights list of major breaches.