Information Regarding the Recent Breach of Confidential Patient Information
Milton Hospital has become aware of a potential breach of patient confidentiality stemming from a private physician group's external billing agency, Goldthwaite Associates, that improperly disposed of paper records containing private patient information.
Goldthwaite Associates, handles billing services for Milton Pathologists, Inc., a private physician group who conducts pathology tests for Milton Hospital. Goldthwaite Associates, routinely receives documentation from Milton Pathologists, Inc., which it uses for billing purposes. Goldthwaite Associates, has informed Milton Pathologists, Inc. and Milton Hospital that no more than three years of these documents were disposed at a transfer station in Georgetown, MA.
Whose information was involved?
Based on our initial investigation, the potential breach appears to be limited to pathology patients from 2007 though 2009. Our investigation concludes that 15,252 individual pathology tests were conducted by Milton Pathologist, Inc., during that time period. We estimate these tests encompass between 8,000 and 12,000 patients.
What types of information were on the documents?
The information on the documents include individuals' full names, addresses, dates of birth, Social Security numbers, insurance information including policy numbers, patient identification numbers, as well as protected health information including diagnoses relating to pathology tests. Not included on these documents are bank account information and/or credit card numbers.
Can you tell me if my confidential information is involved?
If you had pathology tests completed by Milton Pathologists, Inc., at Milton Hospital between January 1, 2007 and December 31, 2009, your personal information may have been involved. You will receive a letter from Milton Pathologists, Inc., if it is determined that any of your information may have been included. We expect these letters to be distributed in the next several weeks.
Pathology testing can be performed on tissues taken from the body during many types of surgeries. Some of the most common surgeries in which tissue samples may be sent to pathology include: hernia repairs, appendectomies, knee surgeries, hip surgeries, gastrointestinal surgeries, colon surgeries, colonoscopies and gastroscopies, colectomies and nephrectomies. Other common specimens sent to pathology for testing are fluids and cells from the body. The fluids and cells can come from in and around the lungs, the abdomen, the throat and joints. These test specimens most commonly come from four locations: 1) the operating room, 2) the endoscopy unit, 3) occasionally the emergency department or an inpatient unit, and lastly, 4) physician offices in Milton Hospital's medical office building. Specimens drawn from our outpatient laboratory drawing station are not involved in this issue. In addition, no PAP smears were conducted by Milton Pathologists, Inc., during the time period in question.
Have the confidential documents involved been compromised?
According to our investigation, a small number of documents disposed at the Georgetown transfer station were gathered by an employee of the Boston Globe, and delivered to the Boston Globe for purposes of reporting the incident. The Boston Globe has reported that they will dispose of these documents responsibly.
When were these documents improperly disposed?
Our investigation indicates that the documents were disposed of on July 26, 2010.
What could I do to protect my information?
While Milton Hospital has no evidence that anyone's personal information has been accessed in an unlawful manner, there are a number of steps you could take to protect yourself:
• Some state laws, including those in Massachusetts, allow you to place a security freeze on your credit reports. This would prohibit a credit reporting agency from releasing any information from your credit report without your written permission. You should be aware, however, that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services.
• If you believe that you have been a victim of identity theft and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze on your credit reports. In all other cases, a credit reporting agency may charge you up to $5.00 each time you place, temporarily lift, or permanently remove a security freeze.
• You may also want to place a fraud alert on your credit report. This can help prevent someone from opening additional accounts in your name or changing your existing accounts. You can call any one of the three major credit bureaus listed below. As soon as one credit bureau confirms your fraud alert, the others will be notified automatically of the alert.
• You should also order a copy of your credit report. You are entitled to receive a free credit report annually from each of the three credit bureaus. Even if you do not find suspicious activity on your initial credit reports, the Federal Trade Commission recommends that you check your credit reports and credit card statements periodically. For more information, visit www.annualcreditreport.com, call 877-322-8228 or contact these agencies:
• In addition, if you believe that you have been the victim of identity theft, you have the right to file a police report and obtain a copy of it. Many creditors will want the information from the police report before excusing you from paying for any fraudulent charges or debts.
• You can also file a complaint with the Federal Trade Commission at www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338).
• Here are some things that could help you determine if your medical information could have been used by someone else:
• Getting a bill for medical services you didn't receive
• Being contacted by a debt collector about medical debt you don't owe
• Seeing medical collection notices on your credit report that you do not recognize
• Attempting to make a legitimate insurance claim and discovering your health plan says you've reached your limit on benefits
• Being denied insurance because your medical records show a condition you don't have
• Noticing on a statement from your health plan that the health plan paid claims for care you did not receive.
If you believe someone else may have used your medical information, you may wish to consider taking additional steps which are outlined on the Federal Trade Commission's website at www.ftc.gov.
How long has Milton Hospital been aware of this situation?
Milton Hospital was made aware of the improper disposal of patient information on August 5, 2010. It is our understanding that legal responsibility to report and respond to this incident rests with Milton Pathologists, Inc., and Goldthwaite Associates. However, Milton Hospital is making every effort to provide assistance and information to our patients in order to address this matter, including posting this information online, and working with Milton Pathologists, Inc., to distribute notification letters to all patients potentially affected.
What is Milton Hospital doing to address this situation?
Milton Hospital is addressing this issue in many ways. Within hours of being alerted to the potential information breach, we launched an internal investigation to determine the source. We then suspended sending any further patient information to the agency in question.
We have compiled information about the situation that occurred to determine the scope of the breach. We have prepared information to share with past patients whose information may have been involved. We also began working with Milton Pathologists, Inc., and Goldthwaite Associates to ensure that all requirements for reporting to federal and state agencies, as well as to patients, are met.
We have made this information available for patients to refer to, and we are preparing to launch a telephone hotline to call for information regarding the risk of identity theft and monitoring credit accounts.
Finally, we have launched an audit to confirm that our current practices for handling confidential information provide the utmost protection of that information, both within the hospital, and among our external associates.
Can you provide more details about what happened?
The most important details have already been publicly released, such as the potential scope and types of information that were contained in the documents in question, the approximate numbers of individuals whose information may be involved, and what we know of how the documents were improperly disposed. The release of this information is consistent with federal law. We are working with Milton Pathologists, Inc., and Goldthwiate Associates, to ensure that all relevant details are reported to regulatory agencies. Updates about this matter will be posted here.
How can I be confident that Milton Pathologists, Inc., and Milton Hospital take information security seriously?
The security of patient information is of critical importance to us. Both Milton Hospital and Milton Pathologists, Inc., are fully committed to safeguarding confidential patient information internally, and demand that external agencies with legitimate access to this information strictly adhere to the same high standards.
At this time, we have suspended issuing any further patient information to Goldthwaite Associates, until we are assured that proper safeguards for protecting patient information are restored.
Milton Pathologist, Inc., and Milton Hospital's first priority is to our patients, and we sincerely apologize for any difficulties that may arise as a result of this breach of confidential information.