A March 3 tornado in Lebanon, Tennessee, hit home for more than 1,600 people in Poplar Bluff.
On that date, STAT Informatics Solutions LLC., a medical records contractor for Poplar Bluff Regional Medical Center, was hit by the tornado and suffered severe damage. The result was the potential exposure of 1,619 medical records, including patients’ full names, social security numbers, dates of birth, record and account numbers, medical images, diagnoses, doctor documentation, medications, test results and other information.
The data breach, along with one from Saint Francis Medical Center/Ferguson Medical Group, appeared in the last two weeks on the U.S. Department of Health and Human Services’ breach information website. The page lists all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights.
STAT notified PBRMC immediately after the discovery, and local hospital representatives visited the site immediately.
According to information from the HIPAA Journal, the company erected a fence around the building and security guards were put in place to protect it.
An undated notification on PBRMC’s website reports staff on the scene were able to confirm most of the records remained in the building.
“We sincerely apologize for this incident and regret any inconvenience it may cause,” the hospital told those whose records were affected in the incident.
The hospital believes there is “no evidence the information has been or will be used in a way that would cause financial harm,” it said in its disclosure to patients.
Local hospital staff declined further comment on the incident, citing pending litigation.
Patients, whose records were affected because of the tornado, will be offered free credit monitoring services, if they choose to accept it.
Anyone with questions about the data breach is encouraged to contact the hospital at 855-465-5157.
The hospital’s notification can be found on its website at https://www.pbrmc.com/notice-of-potential-data-breach.
The most recent data breach incident at Saint Francis Medical Center came last fall, when more than 107,000 patient records were held in a ransomware attack at Ferguson Medical Group in Sikeston, part of Saint Francis Medical Center.
On Nov. 20, Saint Francis published a notice saying “On Sept. 21, 2019, Saint Francis became aware that the computer network that Ferguson Medical Group utilized prior to being acquired by Saint Francis Medical Center experienced a cyber attack on Sept. 20, 2019.”
The attack, Saint Francis said, made all medical records before Jan. 1, 2019, inaccessible to the company.
“Saint Francis took immediate steps to secure the network and worked with federal law enforcement throughout that process,” the notice stated.
While Saint Francis did not pay the ransom, it did restore most records from available backup files.
“Any records for services provided at FMG between Sept. 30, 2018, and Dec. 31, 2018, as well as any documentation that had been scanned into the FMG system, regardless of date, were unable to be restored, ” Saint Francis said.
While Saint Francis officials did not return emails seeking comments on the data breach, its notice states it “does not believe that this incident resulted in disclosure of any patient information to any unauthorized third parties.”
Saint Francis did notify all impacted individuals and offered credit monitoring services.
“Saint Francis regrets that this incident occurred and is committed to providing quality care and safeguarding personal information,” its notice said.
Patients who were affected can call 866-611-1186 for more information.
Both breaches were reported, as required, to the U.S. Department of Health and Human Services and remain under investigation.