HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure

The Silver Spring, MD-based gastroenterology group Capital Digestive Care has discovered one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, exposing the protected health information of up to 17,639 patients.

The availability of sensitive patient data over the Internet was brought to the attention of Capital Digestive Care on February 23, 2018 and action was promptly taken to secure the files and prevent further unauthorized access.

An investigation into the privacy breach was launched to determine the types of information that had been exposed and the number of patients impacted.

The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. The login page to the patient portal and the Pay a Bill pages were unaffected, so no financial information was exposed. No patient accounts were compromised and Social Security numbers and electronic health records remained secure at all times.

Capital Digestive Care has taken steps to prevent further breaches of PHI. All third-party vendors are now required to confirm compliance with HIPAA Security Rule provisions concerning the secure storage of personal data.

All patients impacted by the incident have been notified by mail and provided with information on monitoring and protecting their personal information.

It is unclear for how long patient data were exposed and how many unauthorized individuals viewed patient information.

Capital Digestive Care has not received any reports to suggest the exposed information has been obtained by unauthorized individuals or misused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.