McLaren accused of leaving patient medical records in decommissioned hospital
LANSING, Mich. (WILX) - Patient medical records are meant to be private.
But one of Lansing’s largest hospitals is being accused of leaving behind boxes of confidential patient files in a decommissioned hospital.
When McLaren Greater Lansing opened its new state-of-the-art hospital near Michigan State University’s campus, it closed its Pennsylvania and Greenlawn campuses. Used office furniture, electronics, medical equipment, and more items no longer needed at the new facility were left behind.
Hospital officials decided to auction off the items and gave the public an opportunity to inspect them before going up for sale. But not everything left behind was meant for the public’s eyes.
A whistleblower who attended the April 19th preview at the Pennsylvania campus says he found several boxes containing patient files. In images sent to News 10, a patient name, address, phone numbers, and other medical information could be seen. News 10 took steps to black out the personal patient information for this report.
The whistleblower, we are calling “Troy”, asked not to be identified. He said he was surprised to find the files out in the open while looking through auction items. Troy says he came forward so sensitive information could be properly disposed of.
“There’s a lot of people who’ll just take a whole new identity,” Troy told News 10. “The date of birth and social security information is all anybody needs.”
Protecting patient privacy
The Health Insurance Portability and Accountability Act – also known as “HIPAA” – is a federal law meant to prevent sensitive patient information from being released without a patient’s approval.
Violations of patient privacy could lead to fines or other regulatory action by the United States Department of Health and Human Services.
In a 2021 report to Congress (https://www.hhs.gov/sites/default/files/breach-report-to-congress-2021.pdf), DHHS says there were 64,180 breaches of HIPAA-protected information affecting more than 37-million individuals.
Michigan State University Health compliance officer Michele McDonald is not connected to the alleged breach at McLaren. But she says hospitals, doctor and dentist offices, pharmacies, and anyone who handles personal medical information has a responsibility to make sure this information doesn’t get into the wrong hands.
“We have physical safeguards in place, including proper disposal of protected health information. All locations have shred bins where our staff can essentially dispose of those records,” said McDonald.
McLaren, which oversees 14 hospitals in Michigan and Ohio, says patient privacy is paramount. In an e-mailed statement to News 10, it said:
“When McLaren Greater Lansing began the transition to our new health care campus last year, we undertook a massive data destruction effort to ensure physical copies of old patient records, legal, and business documents were appropriately purged. Unused office furniture and equipment was also stored at our former campuses to be donated or auctioned off in the future.
We recently enlisted a third-party to administer an auction for unused equipment and furniture. During a controlled preview of the items to be auctioned, an individual was apparently able to gain inappropriate access to documents that had yet to be destroyed. This individual apparently took photographs and a video of the materials and chose to deliver them to the media.
It is absolutely unacceptable that someone was able to gain access to any documents that had yet to be purged. We are conducting a comprehensive investigation into how an individual was able to gain access to documents and will fully comply with any regulatory requirements — including providing appropriate communication and protection for patients — that result from the investigation.
Patient privacy is paramount to our organization. We are taking additional measures to reverify all documents awaiting destruction are locked in secure areas and will immediately purge any remaining materials to ensure they are not inappropriately obtained or stolen.”
McLaren denied News 10 requests to show how the documents were being secured after we brought the issue to their attention.
The patient whose information was seen in the photo says she’s concerned that the hospital didn’t do more. “I am very shocked and disappointed that my personal information wasn’t properly taken care of,” she said.
Michigan Attorney General’s Office encourages identity theft protection
For Troy, who found the files lying around the former Pennsylvania Avenue campus, he hopes medical officials who oversee sensitive information do more to protect their patients from theft of personal data.
“You know how quickly somebody can ruin your credit history. I lock all my stuff down because I don’t want anybody opening things like a loan or something in my name,” he said. “It could really mess things up.”
The Michigan Attorney General’s Office says you should act immediately if you believe personal information falls into the wrong hands. (https://www.michigan.gov/ag/initiatives/michigan-identity-theft-support)
The Attorney General’s Office says you should:
- Contact your financial institution (bank, credit union, etc.).
- Check your credit report and put a freeze on your credit, if necessary.
- File a Federal Trade Commission Identity Theft Report or police report.
There are four main ways to protect your personal information:
- Know who you share information with.
- Store and dispose of your personal information securely.
- Ask questions before deciding to share personal information.
- Maintain appropriate security on your computers and other electronic devices.
Other tips from the Attorney General’s Office:
Keep Documents And Records Safe
- Maintain a written record of the contacts you have made in the process to recover your identity
- Document dates, names, phone numbers, report or file numbers and notes from any conversations related to your identity theft
- Confirm conversations by following up in writing via certified mail so that a return receipt is provided
- Send copies only of all documents
Keep Your Personal Information Secure
- Ensure passwords used for your credit card, bank, and phone would not be easy for a thief to figure out
- Do not use your mother’s maiden name, birthdate, or the last four digits of your social security number
- Unless you made the initial contact, do not provide personal identifiable information
- Secure personal information in your home
- Especially if you have roommates, employ outside help, or are having work done on your home
- Dispose of trash carefully and use a shredder
- Do not carry your social security number or card in your wallet
- Keep your purse/wallet in a secure area at work
- Do not carry multiple credit and debit cards
Keep Devices Safe
- Ensure virus software is current on your personal computer
- Use a firewall program
- Use a secure browser
- Do not open files sent by strangers
- Do not store financial information on your laptop
- Do not use automatic login features
Subscribe to our News 10 newsletter and receive the latest local news and weather straight to your email every morning.
Copyright 2023 WILX. All rights reserved.