Breaking Compliance News Blog

Physical HIPAA security matters: Burglars target paper medical records

Posted by Margaret Scavotto, JD, CHC on 11/30/17 7:05 AM

Find me on:

A medical practice in New Jersey reports that burglars took 13 boxes of paper medical records from an off-site storage facility. Approximately 1,000 patient records were stolen.  


Fortunately, when the burglar attempted to sell the patient records, he was apprehended by police. He now faces charges of second degree trafficking in personally identifiable information, second degree identity theft, and third-degree burglary, with a minimum 5 year jail sentence.

This is not the only recent example of paper PHI being pilfered. This May, a Colorado medical practice was hit by a burglary – and later discovered that paper medical records were missing. The swiped records included patient names, DOBs, SSN, medical information, health conditions/diagnoses, financial information, and insurance information.

Individuals are actively seeking paper records in order to turn a profit on the black market. Why? Because a credit card number is worth about $20 on the black market – while a medical record can bring in $1,000. Medical records give criminals access to social security numbers, which can be used to open credit and bank accounts, commit tax fraud, and apply for Medicaid. Stolen medical records can also be used to fraudulently obtain access to prescription drugs, health insurance, or medical care. In extreme cases, patients’ sensitive health information can be used for blackmail.  

In the HIPAA world, paper PHI still counts! Make sure your HIPAA security risk analysis and mitigation plan include paper PHI in addition to electronic PHI.

  • Remember: There is no such thing as secure paper PHI. Your goal should be to get to a paperless environment where all PHI is encrypted. Until that goal is a reality, make sure paper PHI is secured and is as burglar-proof as possible.
  • If you use an off-site storage facility, ask the facility about their HIPAA security program. Signing a Business Associate Agreement is required – but it does not guarantee that your records are safe.  Ask what security protections are in place to protect your records and prevent burglaries.

MCS Sig Aug 2017.jpg

Topics: HIPAA

    Privacy Policy           Terms of Use