A medical group that provides anesthesia services to Kansas City metro hospitals has notified 3,472 patients that some of their personal information may have been compromised after surgery schedules were stolen from an employee’s car.
Anesthesia Associates of Kansas City posted a notice on its website that the surgery schedules may have included some patients’ names, dates of birth, types and dates of surgery, and the name of the patients’ surgeons.
Patient addresses, Social Security numbers, insurance and financial information were not included on the schedules.
“We had an employee that was doing something he wasn’t supposed to be doing,” said Mark Meisel, Anesthesia Associates’ CEO.
Meisel said the employee, a nurse anesthetist, put his backpack containing surgery schedules in a visible part of his car – a violation of the medical practice’s data security protocols.
“Unfortunately, you can tell people what the rules are, but this person didn’t follow the rules,” Meisel said.
Meisel declined to say whether the employee had been fired or disciplined.
The theft, which occurred in December, did not affect all of Anesthesia Associates' patients. But Meisel said that out of “an abundance of caution,” it notified patients who underwent surgery between April 4, 2018, and Dec. 4, 2018.
The theft was reported to police but the backpack and its contents have not been recovered.
Anesthesia Associates, which is based in Overland Park, Kansas, provides anesthesiology services to Children’s Mercy Hospital as well as hospitals owned by HCA Midwest Health, including Belton Regional Medical Center, Lee’s Summit Medical Center, Menorah Medical Center, Overland Park Regional Medical Center and Research Medical Center.
With about 240 anesthesiologists, certified registered nurse anesthetists, pain management specialists and other clinicians, it’s the largest anesthesiology practice in the Kansas City metropolitan area.
The data breach is one of several that have occurred in the last few months at local and regional health care practices. Last month, Sunflower Health Plan, one of the managed care organizations that insures Kansas Medicaid patients, reported a data breach affecting 1,625 plan members after it sent ID cards and welcome packs to the wrong recipients.
Also last month, Valley Hope Association, which operates drug and alcohol rehab clinics in Kansas, Missouri and five other states, said that an unauthorized individual accessed the email account of an employee and may have viewed patients’ health information. That breach affected 70,799 individuals.
Dan Margolies is a senior reporter and editor at KCUR. You can reach him on Twitter @DanMargolies.