The medical details of in excess of 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been located in the basement of an Aurora residence by the female who rented the house from the psychiatrist.
The files in question had been kept in the basement for a minimum of at least four years.
The woman, Barbara Jarvis-Neavins, was allegedly given a key to the basement by the psychiatrist’s spouse as access was needed when workmen had to visit the residence. She, Ms. Jarvis-Neavins, was told that she was had to accompany workmen when they needed to access the basement.
Jarvis-Neavins said she wished to report the presence of the files, and that she was able to access the storage area, but thought that by doing this she would be asked to vacate the property by the landlord. When she was advised that she had to leave the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the incident. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she submitted a complaint. She also contacted media outlet NBC 5.
NBC 5 reporters investigation the tip off and broadcast the story in March, 2017. She advised reporters that boxes of files were stored in the basement and that the files there “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”
NBC 5 reporters went to the property and contacted Dr. Baber. His attorney released a statement confirming the tenant should not have been given access to the basement, that a key was never given to her, and that the records were secured and the doors to the basement were locked. The files were believed to have been removed from the property the day after NBC 5 contacted Dr. Baber.
On September 28, 2017, the Office for Civil Rights was made aware of the breach of 10,500 records of Dr. Riaz Baber. It is not obvious exactly why it took six months for the breach to be officially reported, when HIPAA Rules require a breach report to be filed within 60 days of identification.
Covered organizations and their business associates that choose to store physical records such as physicians’ notes, charts, x-ray films, or documents off site must put in place administrative, technical, and physical measure to ensure the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the facility must also be restricted to stop unauthorized people from accessing PHI. In this case, some of the files were accessed by Jarvis-Neavins and the reporters, although no damage seems to have been done to patients.