Fort Worth hospital reports huge data breach

Posted Thursday, Jul. 11, 2013  comments  Print Reprints
A

Have more to add? News tip? Tell us

Texas Health Harris Methodist Hospital Fort Worth says it is notifying hundreds of thousands of former patients whose personal information on decades-old records turned up in a Dallas park instead of being destroyed by a contractor.

Wendell Watson, spokesman for Arlington-based Texas Health Resources, the hospital’s corporate parent, said the mammoth breach involves about 277,000 records on microfiche from 1980 to 1990. Only patients from the Fort Worth facility are affected.

While not all the information was found intact, Watson said, a sizable portion was, and letters are being sent to all affected parties — patients who were admitted to the hospital during those years.

Included were names, addresses, birth dates, health information and, in some cases, Social Security numbers.

Watson said Texas Health, one of North Texas’ biggest hospital systems, typically destroys records on-site at its hospitals and medical offices. However, shredding trucks operated by its contractor, Shred-it, could not handle the plastic sheets the records were printed on.

“We made an agreement for Shred-it to transport them to a facility” that could destroy the records, Watson said, “but they didn’t get shredded.”

Representatives for Canadian-based Shred-it, which calls itself the world’s leading document destruction and recycling company, did not return phone calls and emails seeking comment Thursday.

Texas Health said it learned of the breach May 13, two days after the bulk of the mishandled records were found by an unidentified resident and reported to Dallas police. Three additional sheets of microfiche were found at two other locations about the same time, the company said.

Microfiche is an outdated record storage method in which paper records are photographed at greatly reduced size and imaged onto plastic pages.

“Texas Health Fort Worth recovered the microfiche and began a thorough investigation,” the company said in a news release. “The hospital believes that it is unlikely that the information was accessed or used inappropriately because microfiche is no longer commonly used, and specialized equipment is needed to read the information it contains.

“However, in an abundance of caution, the hospital is informing patients whose records may have been involved and is providing call center support to all patients and credit protection services to eligible individuals,” Texas Health said.

Letters were mailed starting Thursday, the company said. People who do not receive a letter by Aug. 1 but who suspect they are affected can call 1-877-216-3789 from 8 a.m. to 5 p.m. Monday through Friday and use reference code 4537070513.

The mishandling of physical records runs counter to most reported medical data breaches today, which typically involve electronic records. Hospitals, clinics and physician offices are rapidly converting from paper records to computer records, which allow easier use by healthcare providers but also present security challenges.

According to a survey by Verizon, healthcare organizations accounted for less than 1 percent of 621 data breaches disclosed during 2012. But medical data breaches do occur.

In a May report, Becker’s Hospital Review, an industry news service, listed nine healthcare data breaches in just one month. All but one involved electronic records such as emails, portable memory devices and online records, and most were relatively small, involving hundreds of patient records or a few thousand.

In July, thieves obtained personal information on 49,000 individuals from the Michigan Department of Community Health, the Detroit News reported. And in March 2012, hackers broke into the Utah Department of Health, affecting nearly 800,000 patients.

Jim Fuquay, 817-390-7552 Twitter: @jimfuquay

Looking for comments?

We welcome your comments on this story, but please be civil. Do not use profanity, hate speech, threats, personal abuse, images, internet links or any device to draw undue attention. Our policy requires those wishing to post here to use their real identity.

Our commenting policy | Facebook commenting FAQ | Why Facebook?