The PHI of 17,000 Patients from Oregon and Massachusetts Exposed

The healthcare records of over 17,000 patients were compromised in two healthcare data breaches in Massachusetts and Oregon.

Lane County Health and Human Services located in Oregon has informed over 700 patients about the loss of some of their protected health information (PHI). Forty-nine boxes of patient documents were moved to a transient storage space whilst the Charnelton Clinic in Eugene was remodeled. The boxes of documents were found missing while doing a scheduled monitoring on June 19.

A number of teams joined in searching for the boxes but they cannot be found. Lane County Health and Human Services thinks the boxes of documents could have been destroyed along with other paper files as part of its regular document management steps for non-medical records, however that cannot be affirmed.

The information covered in the documents were full names of patients, addresses, phone numbers, medical histories and Social Security numbers. The documents pertained to the 566 patients who visited the Community Health Centers in Lane County, and the records of 149 of Lane County Developmental Disabilities clients.

Lane County has informed impacted patients concerning the breach and proposed to repay the fees of their 6-month credit monitoring service membership. Lane County Health and Human Services has already evaluated its policies and procedures for keeping information and has acquired specialized health data storage services to enhance security and safety.

New England Dermatology has advised 16,154 patients about the incorrect disposal of some of their PHI. Boxes of paper records were discarded without first making the data unreadable and undecipherable, as demanded by HIPAA. Paper files that contain sensitive data are generally shredded prior to throwing away, however in this instance the files were thought to have been taken by the garbage contractor well before shredding the files.

There was no chance for New England Dermatology to find out exactly which files were affected hence all patients that went to its Northampton office from June 10, 2013 to May 23, 2018 were informed regarding the potential exposure of their PHI.

The compromised data included the patients’ names, contact information, and patient data taken at the time of their visits. There were no highly sensitive information like bank account details, credit and debit card information, medical insurance details, and Social Security numbers exposed.

New England Dermatology has already updated its waste disposal policies to prevent any more data breaches of this nature. Clinic employees and contractors also received extra training.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at