A Tucson doctorโs logbook was stolen from her car in March, compromising protected health information for more than 1,000 patients who visited Carondelet St. Maryโs and Carondelet St. Josephโs emergency rooms.
All patients have been notified of the breach of confidentiality and have been offered a year of free credit monitoring, said Dr. Lori Levine, privacy officer for Emergency Medicine Associates, which provides ER staffing coverage for the two hospitalsโ emergency departments.
The logbook covered patient visits between Oct. 14, 2015, and March 25, and contained the following patient details: name, date of birth, age and gender, hospital name, date of hospital visit, hospital medical record number, a hospital number identifying the visit, and in some cases, a short description of the patientโs medical issue.
โEMA takes safeguarding the privacy of its patientsโ personal information very seriously,โ Levine said in a news release. โIn response to this theft, EMA has reviewed and revised its policies regarding logbooks and provided additional training to its physicians so that incidents like this can be prevented from occurring in the future.โ
A spokesman for Tenet Healthcare Corp. of Texas โ which is majority owner of the Carondelet Health Network โ referred all questions to Levine, since the breach didnโt involve Carondelet employees.
Breaches of the patient privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act, must be reported to the U.S. Department of Health and Human Services. Between September 2009 and December 2012, more than 22 million patients were affected by breaches that compromised protected health information, according to the departmentโs most recent report to Congress, submitted in 2014.
The report identified theft as the most common cause of HIPAA breaches in the years between 2009 and 2012.
In Tucson, the doctorโs decision to take the logbook home with her and leave it in the car wasnโt in itself a violation of HIPAA, but itโs definitely not a recommended practice, said Trish Markus, a North Carolina-based health-care attorney who focuses on data privacy and security.
On the bright side, the compromised patient data did not involve Social Security numbers or payment information, making it less likely the patients involved will suffer adverse effects financially, Markus said. But with details such as the patientโs name, date of birth and medical record number, the thief could attempt to pose as a patient by assuming his or her โmedical identity.โ
The theft didnโt involve the patientsโ original medical records, which are electronic at Carondelet hospitals, Levine said. Original medical records are legal documents and belong to the patient.
Thatโs another silver lining, Markus said.
โThe loss of (the logbook), other than the fact that it contains patient information, is probably less problematic for the emergency group from a business standpoint,โ she said. โBut from a reputational standpoint, obviously itโs never good when you have something like this happen.โ
Levine said in an email that Emergency Medicine Associates has been reviewing its providersโ use of logbooks.
โIn response to this incident, EMA has recently provided additional HIPAA training,โ she said, but would not elaborate on what the training involved, nor whether doctors are now advised not to take logbooks home.
