HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.