When an administrator at Stephenville Medical & Surgical Clinic, in Stephenville, Texas, received a request for a blank medical record release form on May 19, the unnamed employee in the Medical Records Department sent instead a spreadsheet containing data on former patients, according to an article in the Stephenville Empire-Tribune.
Upon recognizing that the document was not what had been requested, the recipient deleted the form. Next morning, the individual notified the clinic of the incident.
The data on the spreadsheet was apparently an archived document as it contained information on former patients, most of whom had not been to the clinic in nearly a decade.
However, it did include patient's names, dates of birth, a medical record number, and, for some clients, the date of the last visit. No medical or financial information was on the document. Neither were addresses, phone numbers, credit card numbers, insurance information, or Social Security numbers, the paper reported.
An independent firm was brought in by SMSC to investigate the incident. Following a number of interviews with the recipient, and an assurance that the file had been deleted from the "deleted" folder of the computer, the outside firm concluded that there was little, if any, risk to patients owing to the incident.
While SMSC has no evidence that any of the data on the spreadsheet had been used for fraudulent activity, those potentially affected are being sent letters explaining what occurred along with an offer for identity protection services.
The SMSC employee who sent out the form was terminated. Further, to prevent similar incidents from occurring in the future, the facility reported that it was altering the manner in which its data is stored. Additionally, it stated that its clinic employees take a yearly security awareness class "to ensure they understand and maintain patient privacy and data security."