Staff discovered the records were missing on Jan. 22 and an internal investigation was launched, he said. Letters were sent to the affected clinic patients on Friday, the same day a news release was issued.
The Health Insurance Portability and Accountability Act known more commonly as HIPAA requires a records breach to be reported to federal officials, the affected patients and the media. The law requires notification within 60 days of an identified breach, the HHS web site states.
"The clinic is taking this very, very seriously," Hester said. "We have reported it to the Department of Health and Human Services. They haven't initiated an investigation, but we anticipate that they will."
HIPAA defines a breach as any use or disclosure that compromised the security or privacy of health information that poses a risk of financial, reputation or other harm to the affected person.
To date there has been no indication that any of the information has been used for any improper purpose, Hester said.
Sheila Walsh-McDonald, the data security ombudsman for the Utah Department of Health, was unaware of the Granger breach, but said there is no law requiring the clinic to notify state officials. Walsh-McDonald was appointed by Gov. Gary Herbert last year after computer hackers broke into a poorly-protected government server and stole Social Security numbers for up to 280,000 people. Less-sensitive data on another 500,000 Utahns was also taken.
Public health officials are concerned about the volume of medical records and the types of information that could potentially be made public in any breach.
"We just have to be vigilant all the time and staff need to fully understand all of the implications," she said.
Hester said Granger is implementing new data procedures and retraining staff to guard against future losses of data or documents. The changes include ending the policy of printing and shredding patient appointment records, he said.
Despite the internal investigation, Hester said it's not clear what happened to the Granger records.
The documents, which represent only a fraction of the estimated 60,000 patients on Granger's books, were thought to have been stored in a secure location, but could not be located when it came time for them to be shredded.
It also remains possible that the records were actually destroyed, but no one at the clinic made an adequate record of that action, he said.
"We don't know for sure," Hester said. "There's a chance it's not a breach, but we're acting out of caution."