Patients’ files left at public dump
4 Mass. hospitals investigating
By Liz Kowalczyk
Globe Staff / August 13, 2010

Four Massachusetts community hospitals are investigating how thousands of patient health records, some containing Social Security numbers and sensitive medical diagnoses, ended up in a pile at a public dump.
The unshredded records included pathology reports with patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages.

By law, medical records and documents containing personal identifying information must be disposed of in a way that protects privacy, and leaving them at a dump is probably illegal, privacy lawyers and hospital officials said. Violators face steep fines.

A Globe photographer discovered the records July 26 when he was dumping his trash at the Georgetown Transfer Station. When he got out of his car, he said, he saw a huge pile of paper about 20 feet wide by 20 feet long. Upset that the paper wasn’t being recycled, he looked more closely.

The photographer said he saw health and insurance records from at least four hospitals and their pathology groups — Milford, Holyoke, Carney, and Milton — mostly dated 2009. The Globe notified the hospitals. It is unclear how many other hospitals’ records might have been discarded in the dump.

Hospital executives and pathologists said they are distraught about the violation of patient privacy and, as required by law, are developing plans to notify the thousands of patients whose records may have been left at the dump.

The hospitals said they also plan to formally notify the Massachusetts attorney general’s office; preliminary information has already been passed along. Based on that, the attorney general’s office said in a statement it is reviewing “whether there has been a data breach.’’

Executives at two hospitals said the former owner of a medical billing company used by pathologists told them he had the records dumped in Georgetown.

“I was absolutely shocked,’’ said Dr. Kevin Dole, a pathologist at Caritas Carney Hospital. “We are trying to figure out the extent of the problem. We’re very concerned here about protecting patient data.’’

The episode highlights in dramatic fashion how hard it can be for hospitals to safeguard patient information, given the large number of doctors, insurance companies, medical billing firms, and contractors who have access to personal data in the normal course of business.

In this case, the hospitals transferred patient information to the pathologists they contract with, who in turn provided some of it to a Massachusetts company, Goldthwait Associates, that does their billing.

“This is a perfect example of how complicated the security of confidential information is,’’ said Clark Fenn, vice president for quality improvement, risk management, and corporate compliance at Holyoke Medical Center. “There are many hands that touch things. All it takes is one slip in that process for information to be released.’’