Thousands of Medical Records Left Unsecured–So Who's Investigating?

Federal medical privacy rules, known as “HIPAA laws”, are designed to keep your medical information confidential. They can be aggravating, stopping you from getting even basic information about a sick relative, or earning a good scolding if you don’t stand behind the line at your pharmacy.

But the penalties do not appear to be as severe for doctors themselves. Fully sixteen months after NBC 5 Investigates revealed a trove of medical records in a Naperville doctor’s unsecured basement, state and federal investigators have levied no discipline, despite what appears to have been a blatant violation of federal privacy rules.

Last March, North Aurora resident Barbara Jarvis-Neavins contacted NBC 5 Investigates, saying she was appalled that she had access to the private records of her landlord, Naperville psychiatrist Dr. Riaz Baber.

“It has their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication,” she said. “I could take these files and create identities and get credit cards and do all kinds of stuff, and I could be on an island somewhere. And that’s what I told the FBI!”

It was after Jarvis-Neavins got no action from the FBI, or the agency where they referred her, the U.S. Department of Health and Human Services, that she contacted NBC 5.

“I think if I was going to a doctor and he had all of my private stuff, I wouldn’t want it in somebody’s basement,” she said.

Sixteen months later, neither HHS nor two state agencies appear to have taken any action, despite the fact that the doctor’s records were in full view of furnace and hot water repair people, and of course, our own crew from NBC 5 which verified the records existence. After our repeated contacts with Baber’s attorney, we watched as the doctor hired a moving crew to remove the documents. Jarvis-Neavins moved out shortly after that. But she said it wasn’t until last month that anyone from HHS even contacted her.

When NBC 5 Investigates contacted that same investigator, we were quickly referred to a press contact in Washington who refused all comment on the case. A check of the HHS website indicates an open investigation, and that the apparent security breach involved the records of over 10,000 patients.

Despite the fact that an NBC 5 reporter, photographer, and producer were in the basement and examined the records, no investigators have contacted us to determine what we saw or how the records were secured.

“It just made me feel like he didn’t care about our privacy,” said the wife of one of those patients, who asked that we withhold her name because of her husband’s prior treatments, but told NBC 5 Investigates she was outraged that nothing had been done to penalize the doctor. “It’s not like he hired somebody and they accidentally dropped a box—he put them there and left them there!”

Federal statutes required Baber to notify patients and HHS within two months of the apparent breach. But that woman said she didn’t receive a letter until September, the same month the HHS website indicates that agency learned of the issue.

“I wondered why it took so long,” she said. “And I found out he was supposed to notify us within 60 days.”

The office of Attorney General Lisa Madigan had indicated last March they would examine the issue. But a spokesman indicated all they had done was notify the doctor of his responsibilities.

“We contacted the doctor and his lawyer to inform them what state law requires in the event of a potential data security breach,” the spokesman told NBC 5 in a statement. “This included providing guidance on how the records should be stored, how and when affected patients should receive notice, and which state and federal agencies should be contacted. The doctor reported that he conducted each of these activities as required by law.”

Likewise, the Illinois Department of Financial and Professional Regulation, which would not comment on why Jarvis-Neavins had never heard from their office. In fact, they would neither confirm nor deny whether they were investigating the breach at all.

“There is no requirement for IDFPR to update an individual on the status of an investigation,” spokesman Terry Horstman told NBC 5. “Just because a complainant isn’t interviewed does not mean that an investigation did not take place.”

As for Jarvis-Neavins, she said she feels some kind of sanction is long overdue, a sentiment echoed by the wife of that former Baber patient.

“It’s mental health, mental health!” she exclaimed. “I kind of put it at the top of the pyramid!”

Repeated inquiries to Dr. Baber’s attorney went unanswered.

Contact Us