Share this article on:
The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.
McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.
McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.
That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.
McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.
Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.
This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.
Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.