Methodist patient information breached
Stolen hard drives held no financial records, but patients are advised to take precautions
The confidential health information of nearly 2,000 heart patients of Houston Methodist Hospital is at risk following the midFebruary theft of portable storage devices containing clinical data.
Notification letters were mailed to the patients last month apprising them their name, gender, date of birth, procedural images and code number, medical record number and doctor’s name were contained in external hard drives removed from hospital premises, then stolen from a vendor’s car.
“We deeply regret any concerns you might have as a result of this breach,” the letter said. “We want to assure you we have extensive safeguards in place to protect the privacy and security of our patients’ health information and we continually review and update our security safeguards.”
The hard drives were removed, in violation of established protocol, by a vendor representative who operated Methodist’s cardiac catheterization lab. The representative, who believed the designated storage room was locked “due to the late hour of the day,” left the devices in his vehicle, which was later broken into.
The letter, which went to 1987 patients, did not give the name of the vendor.
Police were unable to recover the hard drives, and a private investigator hired by Methodist could not find any relevant video footage.
The letter said the vendor representative has been “removed from the premises” following a Methodist internal investigation that determined he failed to follow hospital policies, training, technical safeguards and contractual obligations as well as the controls of his medical device manufacturer employer. It added that “alternative controls” are being implemented.
None of the patients’ financial information is contained on the hard drives, the letter said. It also said the procedural images are only viewable through a propietary medical device.
The letter added that Methodist nevertheless recommends patients don’t respond to unsolicited questions they receive related to their care or financial status. It said patients “might also consider notifying your health plan of this incident and monitoring your explanation of benefits statements.”
Despite noting financial information wasn’t compromised, the letter also advised the patients they can learn more about identity theft and how to protect personal information at the Federal Trade Commission’s website. It also suggested the patients go to Web Watcher, an identity monitoring service that monitors targeted internet sites for use of personal identity information.
Hospitals are required by state, federal and international law to provide notice of such breaches of patient information.