As More Health Records Go Digital, Paper Still at RiskBreach Lawsuit Is Reminder to Safeguard All Patient Data
Radiology Regional Center recently filed a motion to dismiss a class-action lawsuit filed against the Fort Myers, Fla.-based clinic in the wake of a paper records breach potentially affecting more than 483,000 individuals, alleging there's no evidence of harm caused. But experts say even if this case is thrown out of court, the breach shows why healthcare organizations cannot afford to neglect safeguarding paper documents as they migrate to electronic health records and other digital systems.
"As entities continue the transition from paper to electronic records, they should keep in mind that the sudden archiving or destruction of paper records creates new risks," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who is not involved in the Florida clinic's case. "Even with good systems in place, problems can occur ... such as during transport or destruction."
The Radiology Regional Center incident, which occurred on Dec. 15, 2015, but was reported to the Department of Health and Human Services on Feb. 12, is the largest breach involving lost, stolen or improperly disposed paper or film records listed on the federal "wall of shame" website since HHS' Office for Civil Rights began keeping tally in 2009 of breaches affecting 500 or more individuals.
In an earlier statement, the clinic explained that Lee County Solid Waste Division, the company responsible for the disposal of its patient records, ran into trouble while it was transporting patient records to an incinerator to be destroyed. During transport, "a small quantity of records" were released onto a road as a result of the Lee County driver's failure to properly secure the container door, Radiology Regional contends. Because records for 483,000 patients were among the materials being transported by the county waste disposal company, the practice reported that figure to HHS in its breach report.
A class-action lawsuit filed against Radiology Regional Center in a federal court in Florida alleges that the breach puts patients at risk of harm. In addition to citing the risk of identity theft and credit card and income tax fraud, the lawsuit says some of those whose records may have been lost, including judges and police officers, run the risk of their occupations and addresses being exposed to those who could do them harm.
In a motion filed on June 17, Radiology Regional Center seeks to dismiss the lawsuit based on several issues. For example, it alleges that because less than two-thirds of the proposed class of affected individuals are Florida citizens, a court in Florida should not hear the case. It also asserts that the plaintiffs haven't established harm, such as being victims of identity theft or fraud linked to the incident. And it claims that the plaintiffs' allegations of being at increased risk of future harm is too speculative.
Representatives of Radiology Regional Center and an attorney for the plaintiffs did not immediately respond to Information Security Media Group's request for comment on the latest developments in the lawsuit.
"The general lack of concrete injury is the primary basis on which these [breach] lawsuits get dismissed," notes privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the case. "The courts have been pretty firm in requiring something more than just a theoretical injury."
In the Radiology Regional Center case, there is no clear indication that any records were even lost, Nahra says. "If some portion were lost, there is no indication whatsoever in this case that the records were recovered by anyone, much less by anyone who would do something wrong with any records. So, this is a more speculative case than many others, even where those others also get dismissed."
The Florida clinic said in its statement that as soon as it learned of the incident, "every effort was made to retrieve the records, including a foot search of the surrounding area by more than a dozen of our employees and physicians. In an abundance of caution, a second search of the area was conducted by foot on Dec. 21, 2015, and a third was conducted on Dec. 22, 2015. As a result of our numerous searches, we believe that virtually all of the records were retrieved."
The Radiology Regional Center incident "is a good reminder that paper records still matter," Nahra says. "These kinds of incidents happen - very sporadically - but they do happen."
Incidents involving paper records, however, may become an even bigger problem as more entities move to electronic records and get rid of large quantities of paper charts. So organizations need to be mindful of the problems that can occur and take precautions, says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"The business needs for destruction [of paper records] are varied but the processes to ensure the confidentiality of the records are strikingly similar," he says. "Covered entities and business associates must plan every step of the process by which the records will be collected, make an inventory of the documents that are being sent off site, the means by which the records will be safeguarded while being moved to the site where they will be destroyed and documentation that the process was completed using appropriate means to assure complete destruction."
In addition, attorney Greene suggests that "entities should check their insurance coverage to ensure that they have adequate protection for the unexpected. Cyber policies are often focused on computerized data, so entities should check that they have coverage for problems involving hard copy health information too."
As of June 21, the OCR "wall of shame" breach tally shows that since September 2009, about 25 percent of the 1,587 incidents listed on the federal tally website have involved paper or film. Of those, nearly half involved loss or theft, about 11 percent involved improper disposal and the remainder involved unauthorized access/disclosure.
The incidents on the breach tally involving paper records or film affected a combined total of about 3 million individuals, or less than 2 percent of the nearly 159 million individuals that have been impacted by all breaches listed.
One recent breach involving unauthorized access or disclosure of paper records or film was reported to OCR on June 8 by retail giant Walmart. The incident affected more than 27,000 individuals.
Walmart tells Information Security Media Group that the incident occurred when a company that processes refund checks for Walmart and Sam's Club pharmacy and optical center customers experienced a printing error.
"This error caused incorrect information to be printed on the letters that accompanied the refund checks sent to customers," the retailer says in a statement. "As a result, the mailing a customer received may have included another individual's information, limited to name; pharmacy prescription number or an optical order number; order date; refund amount; and city and state of the Walmart or Sam's Club visited."