[BreachExchange] Arizona Anesthesia Group Notifies 882, 590 Patients of Data Breach

Fri Aug 19 16:00:50 EDT 2016

http://www.lexology.com/library/detail.aspx?g=43160994-74b7-401f-8b15-
13da8bcfc33c

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of
more than 200 anesthesiologists and pain management specialists with
several locations near Phoenix, Arizona, began notifying patients on August
11, 2016, of a potential data breach involving protected health information
(“PHI”), despite the fact their retained forensic consultant found no
evidence that the information on the computer system was accessed. However,
the consultant was unable to definitively rule that out after
investigation, and it did confirm that an individual gained access to a
system containing PHI. The physician group elected to take the proactive
route of notifying affected individuals. The forensic firm was apparently
called in shortly after VAPC learned on June 13, 2016, that a third party
may have gained unauthorized access to VAPC’s computer system on March 30,
2016, including records of 882,590 current and former patients, employees
and providers.

On its website, VAPC says they value their relationship with patients and
so decided to mail the notification letters. Law enforcement was also
advised, and a dedicated call center has been set up to answer patients’
questions. Patients have been advised to review the statements they receive
from their health insurer and to advise the insurer of any unusual
activity. The computer system accessed is believed to have contained
patient names, limited clinical information, name of health insurer,
insurance identification numbers, and in some instances, social security
numbers (“SSN”). No patient financial information was included in the
computer systems. For providers, the information included credentialing
information such as names, dates of birth, SSN, professional license
numbers, DEA (Drug Enforcement Agency) and NPI (National Provider
Identifier) numbers, as well as bank account information and potentially
other financial information. The employee records on the system included
names, dates of birth, addresses, SSNs, bank account information and
financial information. Individuals that had their SSN or Medicare number
exposed are being offered credit monitoring and identity theft protection
services.

The circumstances of the incident illustrate the quandary regarding the
presumption that it is a reportable breach if you can’t prove there was no
access to the information, and the interplay between the HIPAA Security
Rule and the Privacy Rule. Here, it was apparently established the system’s
security was breached, but unclear whether personal health information was
accessed once the unauthorized individual was in the system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160819/2005d1ea/attachment.html>