HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Buffalo Heart Group Suffers Insider HIPAA Breach

The Buffalo Heart Group (BHG), a Williamsville, NY. provider of cardiac services, has announced – via Hurwitz- Fine, Attorneys at Law – that it has discovered a “serious breach of its computer system” which has resulted in the Protected Health Information (PHI) of up to 600 individuals being accessed being viewed by a third party.

The security breach occurred last spring, and resulted in information being accessed by a third party acting under the direction of a physician formerly associated with BHG. The information potentially viewed includes patients’ full names, dates of birth, addresses, contact telephone numbers, their appointment schedules and e-superbills.

The information was accessed – and potentially also usedto “solicit patients in connection with the physician’s new employment,” according to the healthcare provider’s attorneys.

BHG confirmed that the data breach was confined the spring of last year and no information was accessed after June, 2014. Because no Social Security numbers, health information or financial information has been inappropriately accessed or viewed and the reason for the breach is known, BHG does not believe the data will be used for any fraudulent activity.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BHG has reported the incident to the Department of Health & Human Services’ Office for Civil Rights, the NYS Department of Health, and the Office of Professional Medical Conduct. Patients are now being notified of the data breach and will receive letters in the post in the next few days if they have been affected.

Rise in Employee HIPAA Violations

This security breach is one of a number  that have resulted from employees disclosing PHI to third parties. A similar incident occurred at the University of Rochester Medical Center after a member of staff took a list containing PHI to a new employer, which was subsequently used to send a marketing email to drum up new business.

During the past month reports have been made of employees taking data when leaving employers, emailing spreadsheets containing PHI to personal email accounts and viewing records without authorization. There is clearly a considerable risk of data breaches and HIPAA violations from within.

In the light of the recent spate of data breaches and unauthorized disclosures it is recommended that all employees required to come into contact with PHI are reminded of HIPAA Privacy Rules, and the implications for not abiding by them. The recent spate of insider HIPAA breaches and employee HIPAA violations has been covered in more detail here

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.