St Joseph Health System in North Central Indiana is contacting clients to inform them that a portion of protected health information has been breached and may have been viewed by unauthorized people. The breach did not occur at St Joseph Health, but at one of its business associates.
Central Files Inc, a secure record storage service in South Bend, IN, was hired to securely store patient records in compliance with federal and state regulations and to permanently and securely delete PHI in line with HIPAA Rules. Central Files Inc. has now permanently closed, but was required to continue storing patient records until an alternative secure records facility could be identified.
From April 1 to April 9, 2020, several healthcare groups partnered with St Joseph Health System and were informed that confidential records that held information patient information had been left in a location in the South Bend area at some point before April 1, 2020.
The records found at the site were in poor state. According to the substitute breach notification on the St Joseph Health System website, the records were “showing signs of moisture damage, mold, and rodent infestation, and damage from being mixed with trash and other debris.” Efforts were made to identify patients whose data had been exposed, but trained safety personnel found that inspecting the majority of the records would be hazardous to health and recommended the best course of action was to arrange for the records to be safely destroyed.
The records that could safely be salvaged have been recovered and St Joseph Health System has contracted a vendor to recover the remaining records from the location. That process was finished on May 20, 2020 and arrangements have been made to have those records securely and permanently destroyed.
In many instances, the records were old and contained out of date information. Some of the documentation included paper copies of medical records and billing statements that contained information such as names, contact information, Social Security numbers, dates of services, and clinical and diagnostic details. Patients have been made aware of the breach and told that no proof was found to suggest any information has been improperly used, although the possibility of unauthorized access could not be eliminated.
The records in question were linked to the following entities
- Saint Joseph Health System (From 1999 to 2013)
- Allied Physicians of Michiana (From 1995 to 2007)
- New Avenues (From June 2004 to December 2015)
- South Bend Medical Foundation (From 2009 to 2015)
- Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (From 2002 to 2010)
- Michiana Hematology Oncology (From 2002 to 2004)
- Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)
The breach has yet to be published on the HHS’ Office for Civil Rights website so it is currently unclear how many patients have been impacted.