Gone But Not Forgotten

David Schulz Article, Guest Post

Texas Attorney General Sues Defunct San Antonio provider over Improper Disposal of PHI

November 15, 2015 — Legal action has been taken by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients.

A defunct home health care management company that was based in San Antonio has been sued by the state over clients’ personal information found in a recycling container at Stevenson Middle School.

Files belonging to Alliance Health Management & Consulting Inc. were recovered by Northside Independent School District police officers on July 14, 2014, and eventually were turned over to the Texas attorney general’s office, according to a lawsuit filed against the company.

The files were dumped FIVE years after Alliance Health Management & Consulting Inc., permanently closed its doors for business in July 2009.

According to the lawsuit, “The defendants failed to implement and maintain reasonable procedures to protect and safeguard from unlawful use or disclosure sensitive personal information.” Civil penalties for improper disposal of PHI have been pursued, and the state is expecting to recover up to $20,000 for each violation. Under state laws the company was required to ensure that the confidentiality of the company’s clients was not violated.

The threat that privacy breaches present to businesses are threats to their very existence.

Food for thought: among our neighboring firms that have also been breached in 2015, now waiting for the other shoe to drop, are:

  • Seton Family of Hospitals, with 39,000 Austin and Hill Country patients made vulnerable by falling for a phishing attack;
  • Lone Star Circle of Care, which compromised the personal information of 8,700 people, including 6,300 patients. Their website designer was responsible for posting a backup file on Lone Star’s, revealing PII, SPI as well as PHI.

  • HealthSouth Rehabilitation Hospital of Round Rock spent Christmas ’15 notifying individuals that a laptop containing unsecured protected health information was stolen from the trunk of an employee’s vehicle on or around Halloween.

Moral to the tale? The cost of compliance is trivial compared to the cost of doing nothing.

David Schulz

David is Executive Director and Chief Privacy Officer for Cyber Risk Associates. Cyber Risk Associates mission is to provide enterprise quality privacy and security solutions to small healthcare practices and business associates, scaled and tailored to the individual firm, to achieve HIPAA compliance.