A private Chattanooga doctor's office waited about a month to notify more than 1,700 patients that some of their personal information had been lost.
The Chattanooga Family Practice on Spring Creek Road first noticed that a computer flash drive with patient information was missing on July 15, said Laura Watkins, office administrator. A letter sent to patients about the lost drive - which contained 1,711 patients' names, dates of birth and reasons for visitation - is dated Aug. 16.
Watkins said that, according to federal law, physician practices have 60 days to alert patients about lost information.
"You try to get them out as soon as you know what to put out, and that takes some time to investigate," she said. "It wasn't anything done intentionally or anything like that."
A physician was using the flash drive to back up the information in case of a computer crash, Watkins said. The physician took a laptop with the flash drive intact to another location within the office and the staff believes it "jiggled loose," she said.
"From what we've been able to re-create, it probably was accidentally thrown away by housekeeping," Watkins said.
After a week of searching and investigating, the office alerted the U.S. Department of Health and Human Services, she said.
The office has received "very little" feedback from patients, Watkins said, and only one person has been angered by the lost information.
"I've been upfront with everybody with what happened," she said.
In accordance with the American Recovery and Reinvestment Act of 2009, cases involving lost information of 500 individuals or more must be posted online.
"We do receive those on a regular basis," said Michael Robinson, a spokesman for Health and Human Services.
From Sept. 22, 2009, to July 28, 2010, there were 146 "breaches" affecting 500 or more people nationwide, according to the department's website. The number of affected people in such breaches ranged from500 to more than 1 million.
Of the 146 cases listed, 17 involved a "portable electronic device" such as a flash drive.
Katherine Lindgren, director of the University of Tennessee at Chattanooga's School of Nursing, said students in the school are advised not to put patient information on any portable electronics.
"They're not to put anything on a flash drive - nothing," she said. "That is the patients' information; that is not information that belongs to you."
There's no law saying such information cannot be put on a flash drive, Lindgren said, but "a common-sense approach" should be taken regarding patient privacy.
Even if lost data contains only a name, date of birth and reason for visitation, a person who finds that data will know "exactly who this person is" and may be able to use the reason for the visit against the patient, she said.
"If the reason for the visit is, 'I'm experiencing nausea and vomiting,' then what would (someone who found the information) do with that?" Lindgren asked. "But if the reason for the visit is, 'I have an STD [sexually transmitted disease] or I think I have an STD,' you never know what anybody's intent is. That's the kind of information that I don't think anybody would want out."
The largest report of lost patient information recorded on Health and Human Services' website was a 2009 incident involving BlueCross BlueShield of Tennessee. The state's largest health insurer had the information of nearly 1 million patients stolen from its abandoned Eastgate Town Center office.
The insurer has said none of the information lost - which was on computer hard drives in a storage facility - has been used illegally.
"You read in the news periodically where your information may have been compromised. I've received notices (of breaches) myself," Lindgren said. "If you ask, 'Would I want this done to me?' it's very simple to come up with the answer - no."