Tuba City Regional Health Care Corporation is a non-profit health care facility that has been providing health care to the community and patients since 1910.
Recently we discovered that dietician treatment cards were missing during a department move from the main hospital to the new Outpatient Primary Care Center. Treatment cards included personal health information and phone numbers used by the dietician to counsel patients. Upon learning of this, we launched an internal investigation to try to determine what happened to the cards. We believe that the cards were inadvertently destroyed in the facility’s trash compacter.
A description of the types of unsecured protected health information involved in the breach:
Dietician treatment cards included but not limited to: patient name, date of birth, phone number, medical record number, treatment plan, progress notes, medications, diagnoses, procedures, height, weight, visit dates, and diagnostic findings.
What steps individuals should take to protect themselves from the breach:
Tuba City Regional Health Care Corporation has received no information to indicate that anyone has attempted to access, use, or disclose this information. However, as a further precaution, the following steps may assist you in preventing any future misuse of your private information.
- Any person who thinks he or she has been potentially harmed by this breach should call Tuba City Regional Health Care Corporation at 928-283-2452 and speak with the Compliance Officer, or 928-283-2726 and speak with the HIPAA Privacy Officer about any questions or concerns they may have. Tuba City Regional Health Care Corporation designated staff will assist in determining if the person’s protected health information or any other private and personal information was actually part of the missing dietician’s treatment cards.
- Social security numbers were not part of the breach, however if it is determined that a person’s protected health information was contained in the missing treatment cards, the affected person should go to www.AnnualCreditReport.com and request a free credit report. By reviewing their credit report, the affected person can discover if anyone has attempted to make a purchase, open up, or access bank accounts, applied for, received, or used a credit card, or engaged in other illegal uses of the personal information of the affected individual. If an affected individual desires, Tuba City Regional Health Care Corporation will provide assistance in protecting the affected person’s personal information.
- If you determine that your protected health information was contained in the missing dietician treatment cards, you may want to check all bank accounts, credit card records, utility records, and any other personal financial records to see if there were any unauthorized purchases, services requested, withdrawals of money, or other unauthorized acts signifying that someone may be trying to illegally use your personal information. Any attempt to use your information is a crime and should be reported to your local police department.
What Tuba City Regional Health Care Corporation is doing to investigate the breach, to mitigate potential harm to affected individuals, and to protect against any further breaches:
A thorough investigation has been conducted under the coordinated oversight of the Corporate Compliance Director, the HIPAA Privacy officer, and Senior Leadership Council. The investigation has included the review of relevant information and documentation. Interviews were conducted with persons who were involved with the department moving into the new building, and/or had knowledge of the contents of the missing dietician treatment cards and/or the ability to access, use, or disclose any of the information of the missing dietician treatment cards. To protect against any future breaches, Tuba City Regional Health Care Corporation is conducting mandatory training on HIPAA and Compliance for each department. This is in addition to the mandated annual training for all employees that has been in place for many years. We have also implemented HIPAA privacy and security inspections throughout the facility. Policies detailing the types of HIPAA breaches and recommended sanctions are being developed and will be distributed to all staff.
As required by law, Tuba City Regional Health Care Corporation will self report the incident to the Office of Inspector General, Unites States Department of Health and Human Services. Notification of the incident will be placed on the facility’s website and will be published in a local newspaper for public disclosure.
Contact procedures for individuals to ask additional questions or learn additional information:
If you think your private information may be included in this breach, or you think that your privacy or security has been harmed by some unauthorized person, or would like to ask additional questions, please contact Tuba City Regional Health Care Corporation, 167 North Main Street, P.O. Box 600, Tuba City, AZ 86045. You can call Tuba City Regional Health Care Corporation at the following telephone number: Corporate Compliance Director at 1-928-283-2452 or HIPAA Privacy Officer at 1-928-283-2726.
Information about this information breach will be posted on Tuba City Regional Health Care Corporation Website: https://tchealth.org/ for a period of 90 days starting on June 8, 2011 through September 8, 2011.
We sincerely apologize for any inconvenience this has caused our patients and our employees from Tuba City Regional Health Care Corporation.
# # # #