Once notified of the breach, CMHP had 60 days to contact patients whose information was in those files, according to federal regulations, and was required to post a public notice.
That notice published this week reveals several new details about how the breach occurred.
“On November 27, 2015, law enforcement contacted CMHP and advised us that CMHP’s patient records were found in a public recycling dumpster. CMHP employees immediately went to the recycling site, retrieved all the documents in the dumpster, and began an internal investigation. Our investigation determined that a CMHP vendor had inadvertently disposed of the lab records in the dumpster on November 25, 2015,” the statement said.
A CMHP spokesman would not reveal what vendor was involved but said the documents were being stored in a secure location that was preparing for renovation.
“Some documents were intended for a shredding vendor, while other documents were identified to be moved to a secure new off-site location. None of them were intended for a Dumpster,” spokesman Dave Lamb said.
The vendor was discarding other items from the location and inadvertently disposed of the patient records as well, he said.
“The lab records may include patients’ names, physicians’ names, accession numbers, types of study, guarantor information, health insurance information, diagnoses, other clinical information, and in some instances Social Security numbers and driver’s license numbers,” the statement continues.
The hospital believes it has retrieved all the documents that were discarded and has no reason to believe that exposed information has been used in any way, Lamb said.
“This incident did not affect all CMHP patients but in an abundance of caution we began mailing letters on January 25, 2016. We also established dedicated call center for patients to call with any questions,” CMHP’s statement said. “If you believe you are affected but do not receive a letter by February 15, 2016, please call 1-877-810-8083 between 9 a.m. and 9 p.m. Eastern Time.
“We also recommend that affected patients review the explanation of benefits they receive from their health insurer. If they see services that they did not receive, please contact the insurer immediately.”
In an effort to be fully transparent, CMHP is sending approximately 94,000 notification letters, Lamb said. Some of those may be duplicates as there are some individuals who may have received services from more than one facility and had their information included in the records more than once.
CMHP has also taken steps to re-inventory all document storage locations, significantly reduced or eliminated retention of paper documents and re-educated its facilities management contractors on storage and relocation to prevent this from happening in the future, the statement said.
About the Author