HARRIS COUNTY, Texas — Ben Rosales saw potential profit when he won a storage unit auction sight unseen.
“I’ve bought storage units with comic books, with collectibles,” Rosales said.
But recently, what he mostly got was box after box of medical records.
“It’s like 200 boxes,” Rosales said as he showed us around the unit.
Hundreds of files detail personal patient data including healthcare histories, names, addresses and Social Security numbers.
It’s a massive data breach risk if exposed to the wrong person.
“These doctors are trained on how to handle these files, they’re not supposed to be left behind,” Rosales said. “So it’s something I was not supposed to find.”
The records are from East Houston Medicine and Pediatric Center, which is not far away from the facility. The doctor there told us over the phone that he inadvertently let his storage lease lapse, leading to the auction. He said he’s contacted an attorney to see how to proceed while Rosales reached out to multiple patients as well as agencies that deal with privacy violations.
“He’s not supposed to just not pay his storage and leave it behind for anybody to just get their hands on,” Rosales said.
Rosales said he offered to deliver the records back to the clinic for $15,000 but that’s something the doctor refused to pay.
According to state law, medical records must be maintained for at least seven years after a patient’s last visit and can only be destroyed by shredding or burning.
We’ve reached out to multiple oversight agencies including HHS but have not heard back.