The Wackiest HIPAA Data Breaches of 2013

The following is a guest post by David Vogel, blogger for Layered Tech.
David Vogel
2013 was a historic year for HIPAA violations, with more than 5.7 million patients affected and the second-largest breach ever reported in the U.S. Department of Health & Human Services online database.

The year also featured some of the strangest violations ever seen, including some incredible security whiffs, business associate failures, and criminal shenanigans. Let’s dive into the top five “funny if they weren’t true” data breaches of the past year:

News Crew Goes Dumpster Diving for Patient Records
When an Indianapolis parishioner stumbled across medical records in recycling dumpster on church property, an investigative reporter from the local NBC affiliate jumped in, literally. What the reporter found were thousands of patient records containing medical history, Social Security numbers, credit card info and other data.

Upon investigation, the dumped records were tied back to the Comfort Dental offices in Marion and Kokomo Indiana, which closed after the dentist who ran the offices lost his medical license due to fraudulent billing.

You can’t make this sort of thing up.

To add further intrigue, before calling in the Feds, the news crew loaded up the boxes of records and stored them at the studio. According to the reporter, their past experiences with finding private health information taught them the “way to best protect this info and to get action is to do exactly what we did.”

The files have since been handed over to officials, who have determined that 5,388 people were affected.

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV
Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Miniaturized Medical Data Float Around Fort Worth
In May of 2013, Fort Worth residents found sheets of microfiche from the ’80s and ’90s in a park and other public areas in Fort Worth. The sheets, which contained miniaturized medical records from Texas Health Fort Worth, had been destined for destruction, but apparently lost by the business associate (BA) contracted to shred them.

The bad news for the 277,014 patients potentially affected? The microfiche sheets likely contained Social Security numbers among the medical records. The slight glimmer of hope? Microfiche format and readers have become very rare, lessening the chance of the records being recognized and misused.

Example microfiche sheet via Wikimedia
Example microfiche sheet via Wikimedia

X-Rays Worth Their Weight in Silver
When Raleigh Orthopaedic Clinic hired a contractor to transfer x-ray films to digital images, they ended up on the wrong side of a nefarious scam. In March, the clinic discovered that their contractor instead sold the films to a recycling company to be scrapped for their silver, leaving the clinic with no digital version of the x-rays, no validation of their destruction, and the 6th-largest HIPAA breach of 2013 (17,300 patients affected).

No Privacy for Kim Kardashian and Baby North West
When celebrities Kim Kardashian and Kanye West checked into L.A.’s Cedars-Sinai Medical Center for the birth of their child, it wasn’t just paparazzi looking for the inside scoop. Six staffers were fired from the hospital in the days following the birth of baby North West for having “inappropriately accessed” patient data. The resulting investigation found that five of the suspects snooped on the patient records using the log-ins of the physicians for whom they worked, which also violated hospital policy. The other suspect had access to the patient database for billing purposes.

Image via Wikimedia
Image via Wikimedia

Felon Gets Hospital Job, Steals Records for Tax Scam
A failed attempt to cash a fraudulent check led to the discovery of one of the most disturbing HIPAA breaches of 2013. The story starts when Oliver Gayle, a Miami man with past felony convictions for racketeering and grand theft, got a temp job at the Mount Sinai Medical Center in Miami Beach using an inaccurate background check. Gayle then began accessing and printing hundreds of patient records and transactional information from the Hospital’s account database. The stolen records went unnoticed until a bank notified police about an attempt to cash a bad check, and gave a description of the car Gayle was driving.

What happened next was like a story out of America’s Dumbest Criminals.

When Gayle was pulled over, Police found that he had more than 15 suspensions to his driver’s license, and prepped to have the car towed. However, Gayle first requested that officers bring along an open bag from the car. Inside the bag, officers found a treasure trove of patient and financial information, including more than a hundred Mount Sinai records, copies of U.S. Treasury checks, Social Security numbers, fraudulent tax returns and a counterfeit U.S. Visa.

Gayle has since been convicted for his identity theft tax refund scheme, and faces prison time for several decades’ worth of fraud and identity theft charges. In the meantime, Mount Sinai may face penalties for the HIPAA violations, which affected 628 people.

About the Author: David Vogel is a blogger for Layered Tech, a leading provider of HIPAA-compliant hosting and private cloud. Connect with David on Twitter (@DavidVogelDotCo) and Google+ (+David Vogel).

   

Categories