ST. LOUIS — Gary Fiorino set out to explore a hidden part of St. Louis earlier this year. He knew the area as a landmark of World War II, where a small-arms munitions plant at Goodfellow and Interstate 70 produced artillery shells until it was demolished in 2006.
What he found: the secrets of dozens of patients of a local dialysis clinic.
“Well, you never know what you're going to see and what you're going to find when you explore these kinds of areas,” Fiorino said. “And then I ran across these boxes of medical records.”
He checked through them and found sensitive details from almost 60 different people who received dialysis services at DaVita Florissant Dialysis on West Florissant Avenue.
“Found names, Social Security numbers, addresses, lab reports, entire medical history of people and personal information," he said. "And that kind of flabbergasted me. I used to work as a customer service rep for an HMO, and so it's very important under HIPAA and other laws. That's extremely sacred and confidential information. So for me to see this just out here roaming around, anybody could take a Social Security number and find out all about a personal medical history. It just seems totally inappropriate.”
Fiorino knew his discovery warranted an investigation. He reached out to 5 On Your Side.
What the I-Team’s PJ Randhawa found was shocking: six big boxes filled to the brim with patient files, scattered all over the curb and exposed to the weather. Some of the boxes had absorbed water and were missing their lids. There’s no way of knowing if any records were removed before Fiorino found them.
The files in the boxes included the name of a specific dialysis clinic in Florissant owned by DaVita Inc. The company has 2,753 outpatient dialysis centers serving more than 206,000 patients across the United States.
Left out in the rain
One of those patients was Christine Scott. She received dialysis from DaVita Florissant Dialysis for nearly 14 years.
“Right now, I'm feeling somewhat violated because that's personal information,” she said. “And not only that, it's 14 years of information, personal information. Information comes back from the hospital, that goes into those files as well. So there's a lot of personal information that's in those files that I feel like I have totally been violated now, just open up to whoever.”
Scott is one of the patients whose records the I-Team identified in those boxes. We reached out to see if anyone had warned her that her files had gone missing. She told us that the call from 5 On Your Side was the first time she knew her information had been out of DaVita’s control.
“I've been thinking about it since, you know, we received the call, is that, for them to be found, where they were found, that they had to be placed there by somebody. Who that somebody is? I don't know. But again, it lies with DaVita, it lies with them. They were responsible for how they're to handle my records,” said Scott. “You just don't put them on the back of a truck and let someone drive them off and drive through the City of St. Louis and decide where they want to dump them at. And that is an insult to me. However they got there, DaVita is responsible for that.”
An unprecedented breach
The next person to see the files was a state investigator for the Missouri Department of Health and Senior Services. Donya Lowrie had the responsibility of finding out why this happened.
“This is just not something you see," Lowry said. "You know, I've been a surveyor almost 20 years, and this is a rare occurrence. I mean, let's face it. Everywhere you go in a medical facility now, you have to sign a consent, you know, for HIPAA.”
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law requiring health care providers to keep medical information confidential and secure. The penalties for violating HIPAA are steep, ranging from $100 to $50,000 per violation.
Lowry said it’s still unclear whether the records were dumped by someone working for DaVita or for a records storage company that DiVita contract with.
“There's just all kinds of scenarios,” said Lowry.
Since Missouri does not regulate dialysis clinics, DHSS can do very little in response to the records breach.
“We do not have monetary penalties related to their deficiencies,” said Lowry. “They're given a chance to present what's called a plan of correction.”
The I-Team turned the files back over to DaVita after the investigator reviewed them. The representative they sent to retrieve the boxes said he could not answer any questions.
DaVita refused the I-Team’s request for an interview. Tiffany Marsh, regional operations director over Florissant Dialysis Center provided this statement:
“The health, safety and privacy of our patients is of utmost importance to us. We were disappointed to learn recently that a small number of files from Florissant Dialysis appear to have been lost or stolen. We are actively investigating this situation and have notified those who may have been affected. We have also put additional safeguards in place, including increased teammate training, auditing and restrictions to physical file access to help ensure this does not happen again.”
"Lost or misplaced"
Scott and other patients whose records were in the boxes said that, after 5 On Your Side notified DHSS and DaVita, they received letters from DaVita notifying them that their records had been “lost or misplaced.”
It did not provide enough answers for Scott.
“They did not give me respect," she said. "Didn't call me. And I have not heard from them. Somebody knew that those records didn’t get where they’re supposed to go. Absolutely. Somebody knows. And to me, DaVita is that somebody.”
The state closed its investigation early in October, saying that “the complaint was found to be Substantiated, with no violations of current […] non-compliance.”
The findings letter to 5 On Your Side noted that “if the facility has already taken appropriate corrective actions by the time the survey team initiates the on-site visit, no deficiencies related to the allegation will be cited, because the problem has already been addressed.”
DHSS referred the possible violations of HIPAA to the US Department of Health and Human Services Office of Civil Rights. DHHS has not responded to 5 On Your Side’s request for an update on its investigation.