The medical details of over 10,000 patients of an Illinois-based psychiatrist – Dr. Riaz Baber, M.D. – have been found in the accessible basement of an Aurora property by the woman who was renting the accommodation from the psychiatrist. It is believed that the files had been left in the basement for a minimum of four years.
Barbara Jarvis-Neavins, the family renting the accommodation, is believed to have been given a key to the basement in question by the Naperville-based psychiatrist’s wife. Access was necessary when maintenance workmen had to visit the house. She was advised that she was must be with workmen when they needed to access the basement.
Jarvis-Neavins said that, at the time of the discovery, she felt she should report the presence of the files, and that she has access to them, but believed that by doing so she would be asked to leave the accommodation.
Later, when the landlord told her that she had to vacate the house as it was being sold, she reported the presence of the unsecured files to law enforcement, including the FBI and state regulators. The FBI advised her to contact the Department of Health and Human Services’ Office for Civil Rights (OCR). She then filed a complaint to the OCR and also contacted news outlet NBC 5.
NBC 5 reporters conducted an investigation and broadcast a report on this in March, 2017. She told NBC 5 reporters that boxes containing files were kept in the basement and that the files “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”
NBC 5 reporters went to the house and contacted Dr. Baber. His attorney release issued a statement confirming the tenant should not have had access to the basement and that he believed that a key was never given to her. He added that the records were secured and the doors to the basement were kept locked. It is believed the boxes containing files were removed from the house the day following NBC 5 contacting Dr. Baber.
The Office for Civil Rights was informed, on September 28, 2017, of the breach of 10,500 records of Dr. Riaz Baber at the house in Aurora. No reason was given as to why it took six months for the violation to be reported as HIPAA Rules require a breach report to be files no later than 60 days after the discovery.
Covered groups and their business associates that opt keep physical records such as physicians’ notes, charts, x-ray films, or documents off site must put in place administrative, technical, and physical security controls to be certain that the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the a facility storing such information must always be restricted to prevent unauthorized people from accessing PHI. In this scenario some of the files were accessed by Ms. Jarvis-Neavins and the reporters, although no damage appears to have been inflicted on the patients.