St Joseph Health System Reports the Improper Disposal of Patient Records by Medical Record Storage Facility

St Joseph Health System in North Central Indiana is sending notifications to patients regarding the exposure of some of their protected health information (PHI) due to unauthorized viewing. The breach did not occur at St Joseph Health but at a business associate.

Central Files Inc provides a secure document storage facility in South Bend, IN. As per the HIPAA law, it securely stores patient documents and disposes of specific records. Central Files Inc. is now closed however needs to continue to hold patient data until a substitute secure records facility can be found.

Between April 1 and April 9, 2020, a number of healthcare groups associated with St Joseph Health System were informed that confidential data that contains patient information was disposed in an area in the South Bend area at some point before April 1, 2020.

The information found in the area was in bad condition. Based on the substitute breach notification posted on the St Joseph Health System website, the documents had indications of moisture damage, mold, and rat infestation, and damage due to mixing with garbage and other debris. Attempts were made to track down patients whose information was exposed, but trained safety staff established that inspecting most the records will be dangerous to health and advised the best move to make was to securely destroy the records.

The files that could be safely salvaged were recovered and St Joseph Health System has hired a vendor to restore the remaining documents from the site. That process was accomplished on May 20, 2020 and preparations were made to securely and permanently destroy those records.

In a lot of cases, the records were outdated and contained out of date information. A number of the documentation included paper copies of medical records and billing statements that included data such as names, contact details, Social Security numbers, clinical and diagnostic data and dates of services. Patients have been informed regarding the breach. There’s no evidence that suggests the misuse of any information, although the probability of unauthorized access couldn’t be ruled out.

The records were associated with the following entities

Allied Physicians of Michiana (From 1995 to 2007)
Saint Joseph Health System (From 1999 to 2013)
New Avenues (From June 2004 to December 2015)
South Bend Medical Foundation (From 2009 to 2015)
Michiana Hematology Oncology (From 2002 to 2004)
Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (From 2002 to 2010)
Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)

The HHS’ Office for Civil Rights breach portal hasn’t displayed the breach yet, so it is unclear at the moment how many patients were affected.

About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA