St Joseph Health System Confirms the Improper Disposal of Patient Documents by Health Record Storage Center

St Joseph Health System in North Central Indiana is notifying patients concerning the compromise of some of their protected health information (PHI) because of unauthorized access. The data breach didn’t take place at St Joseph Health but in a business associate.

Central Files Inc, a safe document storage center in South Bend, IN, was hired to safely store patient files in compliance with government and state laws and to discard some records as per HIPAA regulations. Central Files Inc. is now completely closed nevertheless must continue to keep patient information until an alternate safe records center may be established.

From April 1 to April 9, 2020, various healthcare groups allied with St Joseph Health System were advised that sensitive information comprising patient information was thrown in a place in the South Bend area some time prior to April 1, 2020.

The data uncovered at the location were in a terrible state. As per the substitute breach notification published on the St Joseph Health System webpage, the files had evidence of mold, moisture damage, and rodent infestation, and damage caused by combining with trash and other particles. Efforts were done to know patients whose records were compromised, however, trained security employees confirmed that inspecting almost all the records is going to be harmful to health and endorsed the best solution was to safely dispose of the files.

The documents that can be securely taken were retrieved and St Joseph Health System has employed a vendor to retrieve the other files from the area. That process was done on May 20, 2020 and agreements were made to safely and completely dispose of those documents.

In numerous instances, the records were obsolete and included old data. A couple of the paperwork involved paper copies of healthcare information and billing statements that comprised details like names, contact data, Social Security numbers, clinical and diagnostic details and service dates. Patients were advised concerning the breach. there is no proof that indicates the misuse of any data, though the likelihood of unauthorized access cannot be eliminated.

The documents were related to these entities

Allied Physicians of Michiana (From 1995 to 2007)
Saint Joseph Health System (From 1999 to 2013)
South Bend Medical Foundation (From 2009 to 2015)
New Avenues (From June 2004 to December 2015
Michiana Hematology Oncology (From 2002 to 2004)
Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)
Elkhart Emergency Physicians, Inc. / Goshen Emergency Physicians, LLC (From 2002 to 2010)

The HHS’ Office for Civil Rights breach website hasn’t posted the breach yet, hence it is unclear at this time how many patients were impacted.