Following a break-in at a file storage facility in East Brunswick, New Jersey, the Otolaryngology Associates of Central Jersey is in the process of alerting patients to a breach of their protected health information. The files stolen included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records.
The site manager quickly noticed the theft and local law enforcement was notified. An internal investigation was launched into how the incident occurred. The site has since taken measures and implemented more stringent security measures to reduce the likelihood of similar breaches occurring in the future.
The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach, in accordance with HIPAA’s Breach Notification Rule.
Alongside the internal investigation, a criminal investigation was also launched into the crime. Law enforcement quickly apprehended a suspect. That individual, Fernando Rios, 33, of Sayreville, was arrested for the burglary after law enforcement received a tip off after Rios attempted to sell the records on the black market. The person who Rios offered the records to contacted the U.S Department of Homeland Security. The records have been retrieved, and are now being handled appropriately.
As the stolen records were promptly recovered, Otolaryngology Associates of Central Jersey believes the risk of patient data being used for malicious purposes is low. However, they still need to follow HIPAA guidelines on the appropriate way to handle any potential consequences of the breach.
Rios has been charged with second degree trafficking in personally identifiable information, second degree identity theft, and third-degree burglary. Rios faces a minimum jail term of 5 years.
The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, but has yet to appear on the OCR breach portal. Several online sources claim the boxes of files contained approximately 1,000 patient records.