News Feature | January 5, 2015

Health System's Good Deed Leads To Data Breach

Christine Kern

By Christine Kern, contributing writer

Healthcare Data Breaches

A 'serious mistake' results after CDs with PHI were donated to children’s art project.

Philanthropy is a good thing, but if you’re not careful it can land you in hot water. This was the lesson learned by the Virginia Commonwealth University Health System when it recently found itself facing a breach of PHI when it donated a series of CDs to an art program for children, according to

VCUHS officials said notifications were being sent out to patients regarding the security of certain patient information. According to the notice, between January 2012 and October 2014, a series of compact discs that were no longer necessary for VCUHS services were donated for children’s art projects, and some of those CDs contained sensitive patient health information for approximately 1,000 medical records.

The CDs were ones that had been provided by patients who had been referred to VCU Health Systems for treatment, and included full names, medical diagnoses, medication information, and social security numbers for the involved patients.

Becker’s Hospital Review reports the CDs were accidentally donated by an employee. According to the Richmond Times-Dispatch, any potential disciplinary action involving the incident would remain confidential. VCU spokeswoman Anne Buckley asserted that no evidence of misuse of the PHI has been detected, and the notice was being sent out as a required precaution.

“The population that we are concerned about are folks that brought their information in the form of CDs that were referred to us,” John Duval, CEO of MCV Hospitals and Clinics told the Richmond Times-Dispatch. “Any breach of this type has to presume that there might be individual discs out there that are still readable, so we have the duty to both investigate this to the limits of our ability and then to notify the folks of the risk that their personal health information might have been compromised.”

“What began as a well-intentioned philanthropic effort by a staff member wanting to help turned into a serious mistake that we are working very hard to remedy,” Duval said in the press release. “This error brought to light a vulnerability in our system that developed over time and that we are working to correct, and we are deeply sorry for the inconvenience this may have caused some of our patients.”

According to Duval, rules regarding CDs and their disposal have been tightened to prevent any future breaches. “Large data breaches are happening across many industries, including health care, and are very concerning to all,” Duval said in the release. “The VCU Health System has revised its protocols regarding media destruction and will redouble its efforts to protect all sensitive information.”