2,200 Franciscan Health Patients PHI Exposed Due to Unauthorized Access and Boxes of Medical Records Abandoned in Chatham Chicago

by

Franciscan Health based in Mishawaka, IN learned that a former employee accessed the protected health information (PHI) of about 2,200 patients without authorization.

During a scheduled privacy audit, Franciscan Health discovered the privacy breach. On May 24, 2019, it was confirmed that Franciscan Health that an employee assigned in the quality research department accessed patients’ electronic medical records with no authorization nor valid work reason.

The person involved is not working in Franciscan Health anymore. The incident was already reported to law enforcement officials. Despite the confirmed unauthorized PHI access, Franciscan Health did not find any evidence that the employee duplicated, transmitted, or shared any patient data.

Franciscan Health stores patient data in its medical record system since 2012. The former employee used this system to access patient records which contain information like names, email addresses, addresses, birth dates, telephone numbers, gender an d race/ethnicity information, last four digits of social security numbers, and health record numbers.

The former employee may have also accessed the following information of some patients: doctor’s name, diagnoses, laboratory test results, prescribed medicines, other treatment details, driver’s license numbers, emergency contact details, and insurance claims data. The records also included the complete Social Security numbers of a minor subset of patients.

Franciscan Health will send breach notification letters by mail to all patients affected by the breach with information regarding the free registration for identity theft protection services for 2 years.

Another potential breach recently reported involved the boxes of medical records abandoned outside the Medical Professional Home Healthcare Center in the Chatham area of Chicago, IL. The medical records contained sensitive patient information.

Carmen Dooley operates the Medical Professional Home Healthcare center. But Dooley’s state health medical department license and business license expired in April 2017 and were not renewed. Upon visiting the property, the Illinois Department of Public Health found it to be abandoned without utilities. The business owner can’t be found and so Medicare decertified the agency in 2017.

As per a recent CBS report, the medical records were returned to the storage containers located in the property. Nonetheless, later the containers were taken out and the records were left in piles that are 5-foot high. Some local property owners said the records were left there for months and there were documents with years of sensitive information. The report stated that Dooley did not approve the taking away of the storage containers and did not know that the documents were abandoned.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]