Stephenville Medical & Surgical Clinic has disclosed that it was involved in a data breach related to inadvertently emailing an archived list of patients to a single individual. 

The incident occurred May 19, when an individual requested the clinic email a blank medical record release form. Rather than emailing the blank form, an employee in the Medical Records Department mistakenly emailed a spreadsheet containing a list of former patients, most of whom had not been seen at the clinic for more than 9 years. The recipient opened the document that evening and determined it was not the form requested.  The recipient immediately deleted it. 

The next morning, the individual contacted the clinic to report the error. 

The spreadsheet included patient’s name, date of birth, medical record number, and, for some patients, the date the patient last visited the clinic.  For many patients, the list did not include a full date of birth or information about the date last seen in the clinic.  The medical record number is unique to SMSC and has no potential use except at this facility.

The list did not include sensitive medical or financial information. It did not include diagnoses or what providers the patients saw. It did not include addresses, phone numbers, credit card numbers, insurance information, or social security numbers. Thus, it is unlikely the individual receiving this list could use the information to perpetuate identity theft or any other fraudulent activity.  It is also important to note that SMSC was not hacked. No records were stolen.  This incident was the result of accidental human error.  And again, no sensitive medical or financial information was included.

SMSC brought in an independent firm to conduct an assessment of this incident, ultimately concluding the incident posed little, if any, risks to the patients involved.  During the course of the investigation, the recipient fully cooperated, including meeting with representatives of the outside firm on multiple occasions, signing an affidavit regarding the incident, and ensuring the information was deleted from the “deleted” folder of the computer.  The recipient is a long-time patient of the clinic and believed to be honest and trustworthy – conclusions that the outside investigation also made.  SMSC has no evidence that any of the data provided to the recipient has been or will be used or misappropriated.

Letters to potentially affected patients are being mailed.  These letters explain what occurred and offer identity protection and restoration services.

In the course of the assessment, SMSC mitigated potential harm to its patients by reasonably assuring itself that the recipient had deleted the email and would not use or misappropriate anyone’s information.  The employee who made the mistake was terminated.  SMSC also changed how the information is stored to prevent this type of incident from occurring in the future.  Clinic employees undergo yearly training to ensure they understand and maintain patient privacy and data security.

SMSC understands the importance of safeguarding protected health information and takes that responsibility seriously.  The clinic is strongly committed to maintaining the privacy and security of all patient data.