Over the weekend, what looked like trash on Longacre Street turned out to be anything but. A pile of patient files, including one Detroit woman’s medical records, was found scattered along the block, leaving neighbors and patients rattled. Gearldine Harper said she spotted her own date of birth, address and sex among the paperwork and called the discovery “frightening.” City crews picked up most of the loose documents on Saturday, but some pages were still visible along the street on Monday. Harper says she now plans to keep a close eye on her credit and thinks others should do the same.
How the files ended up on Longacre
As reported by ClickOnDetroit, Harper recalled her reaction when she saw photos of the documents: “I see my date of birth, I see my address, I see my sex.” According to the station, the pile of paperwork included records from Oakland Physical Therapy & Hand Rehabilitation. An attorney for the company told the outlet that the landlord of one Southfield facility removed the files without the clinic’s permission. The clinic, the report says, then sent its own crew to Longacre Street to collect any remaining records. City workers, according to the same report, had already removed most of the documents on Saturday.
Clinic locations and the response
Oakland Physical Therapy & Hand Rehabilitation lists several suburban offices, including locations in Southfield and Detroit, and provides local phone numbers for patients who are now trying to find out whether their files were involved. Company listings indicate the records may have originated from one of those suburban clinics, although the chain says it is still investigating exactly what happened. It remains unclear how many patients’ information was exposed or whether the situation will rise to the federal threshold that triggers mandatory reporting.
What the law requires
Under the HIPAA Breach Notification Rule, covered entities are required to notify affected individuals and the U.S. Department of Health and Human Services’ Office for Civil Rights when protected health information is compromised, according to the HHS breach portal. That notice must spell out what types of data were involved and what steps are being taken to limit potential harm. If a breach affects 500 or more people in a single state or jurisdiction, the rule also calls for notice to prominent media outlets and a report to HHS within 60 days. The HHS portal explains how entities can submit breach reports and notes that the Office for Civil Rights may open investigations into incidents that involve unsecured protected health information.
How patients can protect themselves
Consumer guidance says that anyone who thinks their medical data may have been exposed should regularly check their credit reports, consider placing a fraud alert or a full credit freeze, and scan explanation-of-benefits statements for any medical services they do not recognize. The federal identity theft website IdentityTheft.gov and the major credit bureaus offer step-by-step instructions for ordering free reports and setting up credit freezes, while Experian provides information on the difference between freezes and fraud alerts. For now, Harper says she will be watching her own credit closely and urges other patients to follow suit.
