A Baltimore law firm lost a portable hard drive containing information about its cases, including medical records for 161 stent patients suing cardiologist Mark G. Midei for alleged malpractice at St. Joseph Medical Center in Towson.
The drive was lost Aug. 4 by an employee of the firm Baxter, Baker, Sidle, Conn Jones who was traveling on the Baltimore light rail, according to a letter obtained by The Baltimore Sun that was sent to one of the affected patients last week — two months after the drive went missing.
-
ONLINE ONLY: Heart stent investigation archive
-
-
-
Health QA
-
Coverage of area hospitals
-
Ask the Expert
-
See more stories »
-
Malpractice
-
Justice System
-
Hospitals and Clinics
-
See more topics »
The data-storage device held a complete back-up copy of the firm’s data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers, and insurance information.
“We have no reason to believe that the information on the portable hard drive has been accessed or used improperly. The software was password protected. Furthermore, it would take specialized technical expertise, software and hardware to access the records stored on it,” the letter sent to patients said.
It was signed by Anders Backlund, a senior vice president at the Omaha-based Preferred Professional Insurance Company, which provides liability coverage to St. Joseph physicians and hired the Baxter firm to represent Midei.
A law firm spokesman said the company contacted clients who may have been affected by the security breach, but declined to identify them to The Sun, citing “attorney-client” privilege.
The stent patients, who are represented by other lawyers, were notified under requirements of the Health Insurance Portability and Accountability Act, commonly known as “HIPAA.” St. Joseph confirmed the security breach in an emailed statement, saying it had been “recently informed” of the incident.
Reached on vacation, Robert Weltchek, whose law firm represents several clients suing Midei, said the security breach seemed to be an “innocent mistake.”
“It could happen to anybody,” Weltchek said, noting that one of his clients received a letter warning him of the lost hard drive. He added that “it’s unfortunate that it happened to a group of people who’ve already been victimized.”
Midei is being sued by dozens of former patients who allege he falsified their records to justify unnecessary and expensive cardiac stent procedures at St. Joseph over several years. Stents are used to prop open clogged arteries and improve blood flow.
The hospital removed Midei’s practice privileges in mid 2009. He was stripped of his medical license in July by the Maryland Board of Physicians, which found that Midei violated the state’s Medical Practice Act through unprofessional conduct, false reports and gross overutilization of health care services among other things.
Midei has denied any wrongdoing and filed a lawsuit against the hospital, claiming he was set up.
Baxter said the hard drive — a small metal box that was about 8 inches long by 6 inches wide — was taken home nightly as part of the company’s security system, and mistakenly left behind on the train one evening. The woman who forgot it returned for the device within 10 minutes, the firm said, but it was already gone.
Baxter has since changed its procedures. The firm now encrypts its data and is looking into off-site data storage.
The law firm said it notified St. Joseph and PPIC of the loss within days via telephone and sent a formal letter confirming the incident to the hospital on Sept. 16 and the insurance company on Sept. 22.
The affected patients were notified Oct. 4, the last acceptable notification day under the Health Insurance Portability and Accountability Act, commonly known as “HIPAA.”
Entities who improperly release health information “must notify affected individuals … without unreasonable delay and in no case later than 60 days following the discovery of a breach,” under HIPAA, according to the U.S. Department of Health and Human Services.
PPIC is offering patients whose records were lost a one-year membership to an anti-identity theft service “as a precautionary measure” on “behalf of St. Joseph Medical Center.” The service “helps detect possible misuse” of personal information, Backlund’s letter said.
“We deeply regret any inconvenience this may cause you,” Backlund wrote. “We have taken this seriously and the law firm has confirmed it plans to change its computer system so that this information is encrypted.”
tricia.bishop@baltsun.com
Text NEWS to 70701 to get Baltimore Sun local news text alerts
Article source: http://www.baltimoresun.com/news/bs-md-stent-hard-drive-20111010,0,1553244.story?track=rss
View full post on National Cyber Security