Further 4,100 Cardiac Patients Notified of Breach of ePHI
A further 4,100 cardiac patients have been notified that some of their protected health information was exposed due to a security breach at Wilmington, DE-based Ambucor Health Solutions (AHS). The patients had previously had cardiac devices fitted at the New Mexico Heart Institute in Albuquerque.
The Heart Institute contracted Ambucor Health Solutions to provide a cardiac monitoring service for its patients. AHS had implemented appropriate technical, physical, and administrative safeguards to prevent the unauthorized disclosure of patients’ electronic protected health information in accordance with HIPAA Rules; however, a former AHS employee breached company policies and accessed and copied patients’ ePHI to two flash drives prior to leaving employment.
The data copied to the devices included patients’ names, birthdates, phone numbers, addresses, medication information, testing data, information about patients’ medical devices, where the patient had the device fitted, the name of the technician who fitted the device, and the name of patients’ physicians.
It is unclear why the data was copied, although AHS does not believe any of the information has been used inappropriately or disclosed to anyone other than the employee who copied the data. The flash drives have since been recovered via law enforcement. An analysis of the data on the devices showed no Social Security numbers, financial data, or insurance information were compromised. At this stage it is unclear whether the former AHS employee will face criminal charges. Both AHS and the New Mexico Heart Institute have taken further precautions to prevent future ePHI breaches of this nature from occurring.
Ambucor Health Solutions is providing affected patients with identity theft protection services and cover with a $1 million identity theft insurance policy, but it is the responsibility of each covered entity to submit its own breach report to the Department of Health and Human Services’ Office for Civil Rights. It is therefore unclear at this stage exactly how many patients have been impacted by the breach. This announcement brings the running total of individuals affected by the Ambucor Health Solutions breach to 9,657. Those individuals reside in Massachusetts, New Hampshire, New Mexico, Pennsylvania, and South Carolina.