August 10, 2018
SSM Health St. Mary’s Hospital in Jefferson City, Missouri is notifying hundreds of thousands of patients that a few of their PHI has been left undefended and might possibly have been seen by illegal people.
On November 16, 2014, St. Mary’s Hospital relocated to a new location and all patients’ medical files were shifted to the new service and were protected permanently. Nevertheless, on June 1, 2018, the hospital noticed a lot of documents having PHI had been left over.
The documents were mainly managerial and operational supporting documents and had only a restricted amount of PHI. For the bulk of patients, the only information that was disclosed was their name and medical record number. Some patients also had some clinical data, demographic information, and fiscal information disclosed.
Because of the number of documents involved, the hospital has booked a document facilities company to record all the documents and decide which patients have had some of their PHI disclosed. It has taken some time for that procedure to be finished and for St. Mary’s to be provided with a dependable figure of the number of patients affected. The break report submitted to the Division of Health and Human Services Office for Civil Rights shows 301,000 patients have had some of their PHI disclosed.
Safety protections and constraints were in place at the old facility, even though after probing, SSM Health concluded that those protections were inadequate to make sure the safety of patient information and it was not possible to say, with complete confidence, that the documents were not seen by illegal people during the three and a half years when they were insufficiently safeguarded.
Although the occurrence constitutes a data break and warrants notices to be sent to patients, SSM Health doesn’t believe patients face a substantial risk of abuse of their information because of the limited amount of PHI that was disclosed and the age of the data.
The hospital has now taken steps to make sure that more secrecy breaks don’t happen including reviewing and amending policies and procedures for record storage, retention, and demolition.