Possible hospital privacy breach tied to failure to shred reports

University of Tennessee Medical Center
The University of Tennessee Medical Center is notifying 8,000 patients of a possible privacy breach after patient information was thrown in the trash instead of being shredded, per hospital policy, the Knoxville News Sentinel reports.

Although UT officials don't  believe any patient information was disclosed, used or accessed inappropriately, "out of an abundance of caution," the hospital is sending potentially affected patients letters about the breach, according to UT Medical Center spokesman Jim Ragonese.

Hospital officials first became aware of the situation on Oct. 4.

In the letter to patients, Gary Thomas, UT Medical Center's HIPAA officer, explained that a daily administrative report is printed to a secure location in the hospital. Then a hospital staffer stores the report somewhere in the department. Each day, the report was thrown out in the trash, rather than shredded first; each report contained patient information, including names and Social Security numbers.

The hospital immediately corrected the disposal process, and employees are being retrained on correct document disposal procedures, according to the News Sentinel.

Unlike a recent case at Holy Cross Hospital in Fort Lauderdale, Fla., where ER patient data was stolen and used to set up fraudulent debit, credit and bank accounts, UT does not seem to be aware of any evidence that the information was used. Perhaps that explains why it is not offering free credit monitoring as Holy Cross did. Instead, UT is giving all patients who might be affected information on how to get free credit reports and a toll-free telephone number to get answers about the incident.

To learn more:
- read the Knoxville News Sentinel article

Related Articles:
Hospitals fined $667K for patient privacy breaches
10 Egregious Patient Privacy Breaches
Pharmacies sue CVS Caremark over privacy issues
Stolen ER patient data prompts hospital to offer free credit monitoring