Target 8: Spectrum Health patient records left on resold fax

Spectrum Health, fax machine
A Spectrum Health fax machine that was resold without its memory being properly cleared. (Oct. 5, 2017)


GRAND RAPIDS, Mich. (WOOD) — Target 8 has uncovered another leak of patient information at Spectrum Health.

“I want them to say sorry,” said one victim of the security breach.

In August, 24 Hour News 8 reported on the theft of a camera from a doctor’s car that contained patient’s information and pictures.

Now, Target 8 has learned another doctor’s old fax machine that was still storing patient diagnosis information was sold. The new owner contacted Target 8.

FAX SURPRISE

Angel Belladonna is the new owner of Spectrum Health’s old fax machine. Her husband said he purchased it from a resale shop a few years ago. They were using it as a printer until recently when they needed to send a fax.

Normally when a fax is sent, a confirmation page is printed to let you know it went through. When that didn’t happen, Belladonna’s husband accessed the machine’s memory to print out a copy of the faxes that were sent.

“When he printed it, we didn’t get that (confirmation page). We got a bunch of people’s information,” Belladonna said. “I was kind of stunned… He pressed about two to three buttons and it started spitting out probably about 40 papers.”

It was a stack of paper with private information for more than 20 patients, including lab results, diagnoses, insurance information, home addresses, names and dependents’ dates of birth.

“I knew it was a HIPAA (Health Insurance Portability and Accountability Act) violation immediately,” Belladonna said.

FOLLOWING THE PAPER TRAIL

Target 8 Investigators determined the fax was once the property of Dr. Wendy Zink of Spectrum Health in Holland. Target 8 contacted Zink, then Spectrum Health to alert them to the problem.

Spectrum Health Chief Privacy Officer Leah Voigt says the hospital doesn’t how exactly how it happened. She’s calling the situation a fluke.

“What we do know is that we followed our privacy process,” she said.

Voigt says when a device is decommissioned, the protocol is that the machine is given to a vendor who deletes the data and then scraps or resells the machine. She says those steps were taken and there was even certification that it was cleared.

“We’re continuing to follow the process that we followed in 2012; (it) is still the process we follow today. And again, we don’t know exactly what happened with this particular fax machine, but we know we followed our process and our vendor followed their process,” Voigt said.

Voigt says the majority of Spectrum Health’s decommissioned devices were never resold. She said the hospital was able to track the “small number” that were resold, but vendors’ records don’t identify where they were resold to.

“So unfortunately we couldn’t track all the way back,” Voigt said.

PATIENT: ‘I FEEL VERY VIOLATED’

Target 8 reached out to some of the victims who were shocked to learn about the security breach.

“I feel very violated,” said one victim who Target 8 is not identifying. “I don’t know, I don’t think I’ll go back. I will not go back,” the victim added.

Spectrum Health says it will not be making any changes to its security protocol.

As for the fax that contained patient records, Spectrum Health has obtained the decommissioned device. Target 8 destroyed its copies of the records.

For victims of a security breach like this one, it doesn’t stop there.Law enforcement experts on identity theft shared steps with 24 Hour News 8 on how you can protect yourself after a security breach.

—–

Resources:

IdentityTheft.gov

FBI Internet Crime Complaint Center

Federal Trade Commission

AnnualCreditReport.com