HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

233,000 Patients Notified About PHI Breach at Genetic Testing Lab

Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020.

Ambry Genetics discovered an unauthorized individual gained access to an employee’s email account between January 22 and January 24, 2020 and potentially viewed and obtained the protected health information of its customers. The security team and third-party computer forensics experts were unable to determine if any information in the compromised accounts was accessed or stolen, but no reports have been received to suggest any personal information has been misused.

The email accounts were reviewed and found to contain information such as names, medical information, and other information related to the services provided by Ambry Genetics. A small number of individuals also had their Social Security number exposed.

Ambry Genetics has taken steps to enhance security and further training on email security is being provided to its employees.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Employer

Arizona Endocrinology Center is alerting 74,122 patients that some of their protected health information has been impermissibly disclosed to another medical group by a physician after he left the practice.

Before Dr. Dwivedi left Arizona Endocrinology Center, he downloaded patient data and disclosed the information to his new employer, More MD. Patient names, telephone numbers, addresses, medical record numbers, and the names of patients’ primary doctor were downloaded from the EHR. No Social Security numbers, health insurance information, or financial data was obtained by Dr. Dwivedi.

Arizona Endocrinology Center learned of the incident on February 17, 2020 when patients started reporting they had received text messages from More MD advising them that Dr. Dwivedi had moved to the medical group. More MD also advertised its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center has told its patients that it has no business relationship with More MD and Dr. Dwivedi no longer works for the practice, so it has been difficult to obtain solid assurances that patient data has now been deleted and will not be used. The practice explained on its website that “our patients and their families are free to contact Dr. Dwivedi and More MD directly to ask them about their personal information.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.