Personal, billing data are missing
By Milton J. Valencia, Globe Staff | March 24, 2009
Paperwork containing the personal medical information of at least 66 patients at Massachusetts General Hospital was lost this month when an employee apparently left it on an MBTA train.
The hospital sent out letters last week to patients whose identities were included in the lost paperwork, telling them the information listed their names and dates of birth, and private medical information, including their diagnoses and the name of the provider with whom they met. The material constituted billing records for patients who attended the hospital’s Infectious Disease Associates outpatient practice on Fruit Street on March 4.
Deborah A. Adair, the hospital’s privacy officer and director of health information services, said in a statement released yesterday that while the incident was regrettable, the hospital followed privacy laws by immediately alerting affected patients and authorities, including the state attorney general’s office and the Department of Consumer Affairs and Business Regulation.
"[Hospital] police and security are thoroughly investigating this matter not only with an eye toward recovering the missing information but also toward making sure that this will not happen again," Adair said. "Our information privacy and security policies and procedures are among the strongest in the healthcare industry, but incidents such as this remind us that we must continue to review and revise them, as well as continue to educate our staff on best practices to avoid incidents such as this."
According to hospital security reports, a manager in the infectious disease center’s billing unit told supervisors that she left the paperwork on a Red Line train the morning of March 9. The manager said she had brought the paperwork home with her to work over the weekend and left the material sometime between 7:30 and 9 a.m. The Transit Police were notified, but the paperwork was not found.
Peggy Slasman, a hospital spokeswoman, could not say last night whether the hospital has any policy regulating the handling of personal medical information or whether the incident has forced a change in policy.
The letter sent to patients states: "We want to assure you that this matter was appropriately addressed so this will not happen again."
The letter also advises patients on ways to check their credit reports, and the hospital has offered a complimentary one-year membership to a credit monitoring service.