Officials at Behavioral Health Services of Pickens County are trying to figure out exactly how a computer hard drive with confidential patient information made it outside the facility.
John Schafer, of Easley, a retired elevator repairman who fixes computers as a hobby, made a shocking discovery recently when he installed a used computer hard drive he had purchased.
The hard drive contained several detailed clinical assessments for patients referred to Behavioral Health Services of Pickens County and a monthly monitoring list of approximately 200 patient referrals from the Pickens County Department of Social Services.
"I couldn't believe it," Schafer said. "This is a serious violation."
BHSPC is a private non-profit mental health facility that handles the care for mental health clients for the county and state. Executive Director Robert Hiott said the facility handles approximately 2,500 clients each year and 1,500 of those are typically new patients.
When Patch informed Hiott of the breach he said he could not imagine how it had happened.
"It bothers me greatly, confidentiality is one of the hallmarks of what we do," Hiott said. "Mistakes happen but this is a very egregious error."
Schafer purchases parts from auctions, sales, and thrift stores or trades for parts with friends who are also computer hobbyists.
"I've been messing with computers since the 60's when things were still analog," Schafer said. In all the years he's been wrangling with computer parts, he said this was the first time he'd come across anything like this.
Schafer recently purchased some parts with a friend who also works in computer repairs. One of the parts he traded included a 160 GB Seagate computer hard drive that was formerly installed on a Dell desktop computer. He was surprised when upon further inspection the drive contained confidential patient information from BHSPC.
"There's information on this drive that is of an extremely personal nature," Schafer said. "Pending litigations, there's histories of people's drug problems, emotional problems.
The most shocking to Schafer was the list of patients who had been referred to BHPCS from the Department of Social Services.
"Our largest referral source is the Department of Social Services," Hiott said.
Pickens County Department of Social Services County Director Elaine Bailey said she found the leak to be extremely troubling.
"That's very concerning," Bailey said. "We expect people's information to be kept confidential when they are receiving services."
The client information and monitoring list were created as recently as June and some of the files only dated back to April 2011.
The Health Insurance Portability and Accountability Act requires that health care providers "apply administrative, technical, and physical safeguards to protect the privacy of protected health information."
"We haven't ever had that happen," Hiott said. "I never expected anything like this to happen."
HIPAA law requires that any confidential health information including names of patients be completely erased using special software or destroyed. Hiott said the standard BHSPC uses is to destroy any hard drives or digital storage devices before selling, donating or disposing of old computers.
Hiott said he planned on launching an investigation immediately to find out where the computer came from and how it came to John Schafer.
"The drive and the memory are about the only two things you'd get out of a non-working computer." Schafer said.
"There's a serious lack of responsibility on their part. If they're that lax in their security of patient records for just an old computer, how lax are they in other areas," Schafer asked.
BHSPC also receives client referrals from the South Carolina Department of Alcohol and Other Drug Abuse Services, where several of the clients on the hard drive had been referred from.
Patch was unable to reach DAODAS Director Bob Toomey for comment.
"I would never try to deny this happened," Hiott said. "I know enough to say that this will never happen again."