The protected health information (PHI) of 116,898 patients of HealthReach Community Health Centers based in Waterville, MA was exposed and possibly compromised.
HealthReach Community Health Centers manages 11 community health centers located in Western and Central Maine. It found out that a third-party data storage facility employee had inappropriately discarded hard drives that stored the information of patients.
The HIPAA requires that all electronic devices containing PHI should be discarded in a way that guarantees the information contained in the devices are unreadable or cannot be reconstructed. This usually entails clearing (utilizing software or hardware solutions to overwrite non-sensitive information), purging (degaussing or subjecting the mass media to a powerful magnetic field), or wrecking the media through disintegration, shredding,
melting, pulverization, or incineration.
The data breach notification submitted to the Maine Attorney General by HealthReach mentioned that patient information was compromised on April 7 but it knew about the inappropriate disposal occurrence on May 7. Upon finding out about the occurrence, HealthReach started an investigation to find out what data was saved on the hard drives and which people were impacted.
The types of data stored on the hard drives were different from one patient to another. Besides patient names, a few or all of these types of data were included: addresses, birth dates, Social Security numbers, medical insurance data, medical record numbers, laboratory test results, treatment data, and financial account details.
HealthReach mailed notification letters to affected people on September 9, 2021. Those people who had their financial data or Social Security number compromised received free one-year identity theft protection and credit monitoring services. During the issuance of the notification letters, HealthReach did not receive any information regarding attempted or actual patient data misuse.
HealthReach stated it has obtained the help of data storage vendors to make sure the same breaches never happen down the road, such as giving additional training for the employees.