Lisa Madigan, the Illinois Attorney General, has filed a lawsuit against a Northbrook HIPAA Business Associate (BA) for failing to destroy medical records prior to disposal. The BA is alleged to have exposed the PHI of at least 1,500 individual patients.
The complaint says that the attorney general’s investigators found 1,500 medical records at Shred Spot. The company has received the medical records from Filefax Inc of 3405 Commercial Ave., Northbrook. According the suit, as reported by the Chicago Tribune, “an individual by the name of Halina Bysiek took 1,100 pounds of paper out of the container and brought it to another Sky Harbor business, seeking cash for recycled material.” The data was allegedly left in an “unlocked garbage container behind the building in the Sky Harbor business park.”
Paul Kaufmann, Owner of Shred It, identified the material as medical records and alerted his Trade Association – The National Association for Information Destruction. Following the advice he received, Kaufmann contacted the state attorney general’s office and an investigation was launched.
Filefax Inc. is a BA of HIPAA-covered healthcare provider, Suburban Lung Associates (SLA). In an earlier media release uploaded on the company website, the healthcare provider announced the HIPAA breach involved data including patient names, addresses, dates of birth, phone numbers, Social Security numbers and Protected Health Information (PHI) including medical diagnoses and treatment received. SLA also said “We believe this is an isolated incident, only involving records of patients last seen in 2004.”
The incident occurred on or around February 6, 2015 with SLA learning of the security breach on February 11, 2015. The data breach notice – issued to the Department of Health and Human Services’ Office for Civil Rights (OCR) on April 13 – indicates that 2,984 medical records were exposed. Breach notification letters have now been dispatched to all affected individuals and credit monitoring services have been offered.
Madigan said, “This company brazenly violated the law and jeopardized the personal information and privacy of thousands of Illinois residents.” The lawsuit cites the Illinois Consumer Fraud Act which permits a fine of up to $50,000 for each violation in addition to a further $10,000 if the victim in question is a senior citizen.
Other violations cited included the Consumer Fraud and Deceptive Business Practices Act and the Personal Information Protection Act, the latter carrying a $100 fine per record up to a maximum of $50,000.
Under HIPAA, fines of $100 per violation up to $25,000 can be issued by state attorney generals for breaches of PHI as defined by the HIPAA Security Rule, but it is a fine from the OCR which will be felt the most. The OCR has the authority to issue fines up to $1.5 million per HIPAA violation.