A woman discovers patient records on the doorstep of an abandoned building

01 May 2013

Author Name Patrick Ouellette

Lakeshore Mental Health Institute of Tennessee has been associated with a strange patient data breach of records that date back to 1995, but the incident doesn’t involve any current patients. That’s because, as WBIR.com reports, the organization ended patient admissions in June 2012, but sensitive data has still been exposed to the public.

Hilda Lindeman, who worked at Lakeshore for 28 years incidentally found the records while taking a walk on the premises. Lindeman said that the records, which included data such as Social Security numbers, patient names, case numbers and birth dates, were located at the doorstep of an abandoned building that wasn’t locked.

HealthITSecurity.com spoke with Tennessee Department of Mental Health and Substance Abuse Services Communications Director Michael Rabkin this afternoon. He explained that the building where the files were located had been out of use, aside from training, since the mid-1990s and had been vandalized at some point in 2012. Upon learning that the files (which he said amount to less than a banker’s box) were there yesterday from WBIR.com, he said that the Department of Mental Health and Substance Abuse Services retrieved them and identified the files as old backup Census reports. While they did contain the patient-identifying information listed above, there was no medical data such as diagnoses or prescription information in the reports.

If the records belong to the Tennessee Department of Mental Health and Substance Abuse Services, it would be considered responsible under HIPAA. But Rabkin went on to say that the organization is looking to determine whether the files pre-date HIPAA and what their responsibilities would be if they were indeed that old. There’s also the question of self-reporting and what the Department of Mental Health and Substance Abuse Services needs to do since the records were in paper form. If these were electronic records, Rabkin said the organization would need to self-report immediately for HIPAA compliance.

“This is very important to us and we need to figure it out,” Rabkin said.

Article sourced from: http://healthitsecurity.com/2013/05/01/lakeshore-mental-health-institute-leaves-patient-data-exposed/