Boxes of medical records for more than 1,400 patients of Jackson Health System have been missing since January, the hospital system reported Friday, after mailing letters to affected patients informing them of the privacy breach and offering free credit protection services — even though Jackson administrators say Social Security numbers, credit card numbers and financial statements were not contained in the documents.
Matthew Pinzur, a Jackson spokesman, said the boxes of records went missing from the Health Information Management department, which handles all patient medical records, and that the missing documents were either on their way to be scanned electronically or returning from the process.
He said the records contained patients’ personal health information, which could include personally identifiable data on medical diagnoses, surgical procedures and other healthcare data protected from public disclosure under federal privacy laws.
“We take the privacy of all patient records incredibly seriously,’’ Pinzur said. “The fact that this is medical information instead of financial information does not make a difference. These are both things that we understand our patients deserve to have protected.’’
Sign Up and Save
Get six months of free digital access to the Miami Herald
As required by law, Jackson formally announced Friday that the records were missing. Chief Executive Carlos Migoya said in a memo that the hospital system would implement three changes to avoid a repeat of a similar privacy breach:
• A manager now needs to approve the release of boxes of paper medical records to drivers for transportation to off-site storage;
• Managers will receive training on the proper procedures for responding to missing patient medical documents and submitting incident reports to Jackson’s electronic reporting system, and
• Security cameras have been installed throughout the Health Information Management department at Jackson Memorial Hospital in Miami and will be installed at Jackson North Medical Center in North Miami Beach.
Notification letters also were mailed to 1,407 patients, informing them of the privacy breach and explaining that the records were first reported missing in January.
Hospital staff searched the information management department, vendor storage areas, and tracked down every patient whose medical records could have been included in the boxes, according to the letter signed by Luis Martinez, an attorney in Jackson’s corporate compliance department and privacy office.
“While it is not certain that your information was used or will be used for any inappropriate purpose, the possibility exists,’’ Martinez’s letter states.
The letter then recommends that patients contact a credit bureau and place a fraud alert on their credit file. The letter also contained an informational sheet from the Federal Trade Commission, titled “What to Do If Your Personal Information Has Been Compromised.’’
Martinez’s letter also offered affected patients an identity and credit information protection service, including credit monitoring and identity theft insurance of up to $20,000.
“On behalf of Jackson,’’ Martinez wrote, “I want to offer our sincere apology for any inconvenience to you.’’
Theft of patient data has been increasing in hospitals in South Florida and throughout the country.
In September, the University of Miami announced that many thousands of patients had their information stolen over 22 months. Last year, Jackson said a volunteer at Jackson North Medical Center had been caught using a smart phone to take photographs of more than 500 patient records. And in 2011, Jackson said an employee had stolen information of 1,800 patients.
In 2006, a front desk coordinator at the Cleveland Clinic in Weston was charged with downloading computer information on 1,100 patients that was used to submit $2.8 million in fraudulent claims to Medicare.
In virtually all such cases, hospitals employees with access to computers obtain the data and then resell the information to others who create phony claims that are sent to insurers.
But the latest Jackson case did not include the type of information that can be used for financial fraud, according to Martinez’s letter to patients, which advised those affected that “the likelihood of financial or reputational harm is not high.’’