HOUSTON — Several prominent Houston-area hospitals are notifying patients about a breach after medical records were found scattered on a sidewalk in Midtown by a KHOU 11 employee.

KHOU 11 News launched an investigation after discovering the hundreds of documents contained private information that included patients’ names, dates of birth, diagnoses, treatment, medication lists, vital signs and admission dates.

Medical documents blurred_1538520524197.png.jpg
Several prominent Houston-area hospitals are notifying patients about a breach after medical records were found scattered on a sidewalk in Midtown by a KHOU 11 employee.

The records involve approximately 1,800 patients of MD Anderson Cancer Center, LBJ Hospital, Memorial Hermann Hospital, Children’s Memorial Hermann, and TIRR Memorial Hermann.

The records were stolen from the trunk of a medical resident’s locked vehicle in July, according to officials with UTHealth.

The recent graduate didn’t notify police about the burglary until after a KHOU reporter contacted him.

He had studied at UTHealth’s McGovern Medical School and had worked at MD Anderson, LBJ, Memorial Hermann, Children’s Memorial Hermann and TIRR.

It’s not clear how or why a resident would take medical records out of the hospitals.

“We promptly took steps to investigate the circumstances of the disclosure, which revealed that the stolen documents had been discarded on a city street and found a day later by an employee of KHOU-TV Channel 11,” UTHealth said in a statement. “We have no evidence that the patient information was used or viewed between the theft and the recovery.”

Lisa Cotrone, 37, is one of the patients whose information was found in the papers strewn on the street.

She was treated at Memorial Hermann Hospital after a horrific car crash four years ago. She suffered organ failure, broken bones and a traumatic brain injury.

“I don’t remember anything, nothing,” Cotrone told us.

But her mother will never forget.

“Her lung collapsed, and they were filling up with blood. She wasn’t breathing. She ended up having a stroke in the helicopter on the way downtown,” Diane Cotrone said.

Learning her daughter’s medical records were so carelessly discarded was disturbing, to say the least.

“For someone to be this careless with all these papers, not just one or two, but stacks of papers. That’s not good,” Diane Cotrone said.

KHOU reached out to a handful of patients as part of the investigation. Several wanted to share their frustration about the privacy breach.

“It should never have gone home. It should never have been left in somebody’s car. It should have stayed at the hospital. At the school or at the hospital,” said a Houston-area woman whose husband was treated at MD Anderson. She asked not to be identified. “My husband passed away this year. To find out his medical records were laying on the side of the street, it makes me feel almost like he has been violated and he isn’t here to defend himself.”

In a statement, UTHealth said the hospitals involved are sending letters to patients who are impacted by the breach.

KHOU 11 News returned the original medical records to UTHealth so they could report the HIPAA breach to the government and notify the hospitals.

We reached out to the hospitals and none wanted to comment on camera but did send us the following statements:

MD Anderson:

"Patient privacy is of extreme importance to The University of Texas MD Anderson Cancer Center. We are working with UTHealth to address this incident, and we have provided information to our patients who were impacted."

Memorial Hermann Health System:

"Protecting the privacy of our patients is of utmost importance to Memorial Hermann. We have contacted the patients whose information was involved and provided a dedicated number to answer any questions they may have."

Harris Health System:

"We value our patients’ right to privacy. Harris Health System continues to collaborate with the University of Texas McGovern Medical School and the physician involved to have KHOU return our patients’ protected health information, to determine how best to reach out to the impacted patients about the situation, and to ensure that all federal and state regulatory requirements are satisfied."

UTHealth:

"UTHealth Media Release UTHealth Makes Public Notification of Incident Related to Patient Information HOUSTON – (Sept. 14, 2018) – The University of Texas Health Science Center at Houston (UTHealth) announced today an unauthorized disclosure of protected health information potentially affecting approximately 1,800 patients. The incident involved records of patients at five Houston area patient care facilities. The documents were in paper form and consisted of call sheets, rounding notes, medical record number stickers, and/or surgical schedules. Information included patients’ names, dates of birth, diagnoses, treatment, medication lists, vital signs and/or admission dates. No other identifying information was included. A recent graduate of a UTHealth medical residency program notified the UTHealth Privacy Office of the incident on July 24, 2018. He reported that his vehicle had been burglarized on July 17, 2018, and that patient records which were in the trunk of his locked vehicle had been stolen. We promptly took steps to investigate the circumstances of the disclosure, which revealed that the stolen documents had been discarded on a city street and found a day later by an employee of KHOU-TV Channel 11. We have no evidence that the patient information was used or viewed between the theft and the recovery. The KHOU employee who found the records then provided them to the news station, and a journalist began contacting the physician and some patients whose records had been disclosed. To properly safeguard the patients’ information, UTHealth and others involved made numerous requests to retrieve all of the patient records in KHOU’s possession. On Aug. 6, 2018, a representative of the news station returned the original documents to UTHealth. Since learning that KHOU made and retained copies of the information, UTHealth has asked repeatedly that the copies be returned or destroyed. We are grateful to the KHOU employee who found the documents, and we do not believe KHOU has disclosed any of the affected patients’ health information. We again respectfully request that KHOU return all copies of the records or destroy them without further compromising the privacy and dignity of the affected patients. We deeply regret that this situation has occurred, and we apologize to all affected patients. UTHealth and its health care partners are committed to providing quality care while safeguarding patients’ protected personal information. We remain steadfast in keeping and strengthening policies and procedures to protect patient privacy. We have reminded physicians to destroy documents when they are no longer needed, and we have repeatedly emphasized to physicians that they must ensure that patient information in their possession is secure at all times. We have also increased the visibility and accessibility of shredders in our facilities and asked our health care partners to do the same. Additionally, we are implementing measures to ensure that physicians discontinuing their affiliation with UTHealth and its affiliated health care partners either destroy or return any protected health information in their possession. Letters are being sent by the health care entities involved to their patients affected by the breach. Any patient who wishes to further protect their information in this case can contact KHOU Executive Producer Jennifer Cobb, and request that the news organization destroy any of their information that KHOU has retained. Her telephone number is 713-284-1087, and the address is KHOU11 News, 4343 Elgin St., Houston, TX, 77004. Patients who would like more information are encouraged to contact the UTHealth Privacy Office at 713-500-3391 or 1-888-472-9868; email privacy@uth.tmc.edu; or write to UTHealth Privacy Office, 7000 Fannin, Suite 1460, Houston, Texas 77030."

Patients who would like more information should contact the UTHealth Privacy Office at 713-500-3391 or 1-888-472-9868, or email privacy@uth.tmc.edu.