While ransomware attacks have hit hospitals across the country, internal breaches and human error remain a top concern for hospital CIOs.
An article published in the American Journal of Managed Care earlier this year found paper and films within hospitals and health systems are the most frequent location for data breaches, while network servers were the least common.
Here are 10 recent examples of patient records exposure that have nothing to do with cyberattacks.
1. Oak Lawn, Ill.-based Advocate Medical Center reportedly sent a patient the wrong medical records. The patient contacted the hospital to report the mistake and told CBS Chicago the hospital was surprised at the error. However, the hospital did not accept the patient's attempts to return the wrong records and had not sent the patient the right records at the time of the report.
2. In September, hundreds of medical records were found in the trash outside of a New York City medical office building. The records belonged to patients of two gastroenterologists and include the patients' names, Social Security numbers and diagnoses.
3. A laptop that belonged to a business associate at Floresville, Texas-based Connally Memorial Medical Center was stolen in April, potentially exposing 7,358 patients' protected health information. The laptop was password protected but not encrypted; since then, the hospital has updated its business associate agreements to require encryption on portable devices.
4. Western Connecticut Health Network in Danbury notified select patients that their personal health information may have been exposed in August due to a shipping mishap. A box containing medical records that had been sent through the U.S. Postal Service to the Connecticut State Department of Public Health had its seal broken during shipping; some of the contents of the box were damaged.
5. A lost flash drive from a Reno, Nev.-based Renown Health employee may have exposed the protected health information of 27,004 patients. The employee lost an unencrypted thumb drive, which stored information for patients who received inpatient services at one of the system's hospitals. The information included names, diagnoses, medical record numbers, among other information. The system reviewed its policies after the incident and reported employees would undergo additional training.
6. In February, Chicago-based Rush University Medical Center reported it accidentally exposed the names of 908 patients in a paper mailing that announced the retirement of a nurse practitioner from its Epilepsy Center; the names listed on the envelopes did not match the addresses, so patients received a mailing with the wrong name.
7. UW Medicine in Seattle had to notify 974,000 patients earlier this year that a data error in December 2018 allowed some patient information to appear in Google searches due to a human error. The files had been searchable online for a short period of time and included information such as names and medical record numbers. The health system reviewed internal protocols after the event to prevent future errors.
8. Toledo, Ohio-based ProMedica reported an employee stole patient data for a nearly two-year period between 2017 and 2019. The employee handwrote personal information from 121 patient files and removed the information from the hospital without authorization.
9. Northern Light Acadia Hospital emailed the names of 300 patients with Suboxone prescriptions to a local news source, Bangor Daily News, mistakenly earlier this year. The email violated HIPAA and included information about the medical providers treating those patients.
10. Penn Medicine in Philadelphia reported that patient information may have been inappropriately viewed by a medical assistant that was a contract employee from February to April this year. The hospital learned the medical assistant was viewing patient records without a work-related reason; Penn Medicine alerted around 900 patients that their records may have been viewed inappropriately and evaluated its staffing agencies and contractors after the event.