Franciscan Health Employee Unauthorized Access and Abandoned Boxes of Medical Records in Chatham, Chicago Exposed PHI

Franciscan Health located in Mishawaka, IN found out that a former staff committed unauthorized access of the protected health information (PHI) of around 2,200 patients.

In a routine privacy review, Franciscan Health learned about the privacy breach. On May 24, 2019, Franciscan Health confirmed that a staff designated in the quality research department accessed the electronic medical records of patients even without authorization or legit reason.

The man or woman who committed the privacy breach no longer works in Franciscan Health. The law enforcement already received this breach report. In spite of the confirmed illegal PHI access, there is no evidence found that the staff copied, sent, or disclosed any patient information.

Since 2012, Franciscan Health saves patient information in its medical record system. The former staff used the EHR system to view patient files containing their names, birth dates, email addresses, addresses, phone numbers, gender and race/nationality, health record numbers and Social security numbers (last four digits only).

The former staff may possibly accessed some patients’ information including: doctor’s name, laboratory test results, diagnoses, prescribed medications, emergency contact details, other treatment information, driver’s license numbers, and insurance claims details. The complete Social Security numbers of some patients were also included.

Franciscan Health is going to send breach notifications via mail to all affected patients including details about the two-year free enrollment to identity theft protection services.

Another breach that was lately reported in Chatham Chicago, IL concerned boxes of medical records deserted outside the Medical Professional Home Healthcare Center. The medical files included sensitive patient data.

Carmen Dooley is the manager of the Medical Professional Home Healthcare center. However, when the state health medical department license and business license of Dooley expired in April 2017, the operator did not renew them. Upon checking the premises, the Illinois Department of Public Health observed it was deserted without utilities. The healthcare center owner can’t be located, Medicare decertified the company in 2017.

A recent CBS report stated that the medical files were brought back to the storage containers within the premises. However, the containers were later removed and the files were abandoned in 5-feet piles. Certain local property owners mentioned that the medical records containing years of sensitive data had been left there for months. The report also said that Dooley was not aware that that the documents were left behind when the containers were taken away.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at