Share this article on:
The Buffalo Heart Group (BHG), a Williamsville, NY. provider of cardiac services, has announced – via Hurwitz- Fine, Attorneys at Law – that it has discovered a “serious breach of its computer system” which has resulted in the Protected Health Information (PHI) of up to 600 individuals being accessed being viewed by a third party.
The security breach occurred last spring, and resulted in information being accessed by a third party acting under the direction of a physician formerly associated with BHG. The information potentially viewed includes patients’ full names, dates of birth, addresses, contact telephone numbers, their appointment schedules and e-superbills.
The information was accessed – and potentially also used – to “solicit patients in connection with the physician’s new employment,” according to the healthcare provider’s attorneys.
BHG confirmed that the data breach was confined the spring of last year and no information was accessed after June, 2014. Because no Social Security numbers, health information or financial information has been inappropriately accessed or viewed and the reason for the breach is known, BHG does not believe the data will be used for any fraudulent activity.
BHG has reported the incident to the Department of Health & Human Services’ Office for Civil Rights, the NYS Department of Health, and the Office of Professional Medical Conduct. Patients are now being notified of the data breach and will receive letters in the post in the next few days if they have been affected.
Rise in Employee HIPAA Violations
This security breach is one of a number that have resulted from employees disclosing PHI to third parties. A similar incident occurred at the University of Rochester Medical Center after a member of staff took a list containing PHI to a new employer, which was subsequently used to send a marketing email to drum up new business.
During the past month reports have been made of employees taking data when leaving employers, emailing spreadsheets containing PHI to personal email accounts and viewing records without authorization. There is clearly a considerable risk of data breaches and HIPAA violations from within.
In the light of the recent spate of data breaches and unauthorized disclosures it is recommended that all employees required to come into contact with PHI are reminded of HIPAA Privacy Rules, and the implications for not abiding by them. The recent spate of insider HIPAA breaches and employee HIPAA violations has been covered in more detail here