HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure

Family Medicine East, Chartered of Wichita, KS, has reported the theft of a computer from its Rock Road facilities. Thieves broke into the locked clinic on December 8, 2016 and stole a desktop computer and a printer. The computer, which was unencrypted, contained the protected health information of almost 7,000 patients.

Law enforcement was notified of the break-in and theft, although the individual(s) responsible have not been apprehended and the stolen computer has not been recovered.

The data on the computer were backed up so the theft has not resulted in the loss of any ePHI although an investigation of data backups did reveal that a considerable number of images and office notes were stored on the device.

The medical notes were mostly transcriptions of dictated physicians’ notes and related to patients that had visited Family Medicine East, Chartered for medical services between 2003 and 2004. The notes contain details of what was discussed during patients’ appointments and included patients’ names, birth dates, appointment dates, physician’s names, symptoms, details of examinations, diagnoses and orders. In additions to the physicians’ notes, some letters were stored on the stolen device which detailed patients’ names and medical conditions. The letters related to referrals of patients to other physicians.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Family Medicine East, Chartered has now notified all affected patients of the breach and has reassured them that no financial information, Social Security numbers, or addresses were stored on the computer. Only images and notes typed by transcriptionists were exposed as a result of the theft.

Family Medicine East, Chartered pointed out in its notification letters that files should not have been stored on the computer and therefore were not flagged during risk analyses conducted prior to the theft. The files had been stored on the stolen device “as a result of an employee’s oversight” according to the clinic’s substitute breach notification letter.

Due to the nature of data stored on the device, Family Medicine East, Chartered says “it is hoped that the risk of information being misused is low,” although the clinic has agreed to make credit reports available to affected patients free of charge.

Prior to the theft, Family Medicine East, Chartered had already started the process of encrypting all devices that contained patients’ protected health information and the clinic reports that that process has now been completed.  Security at its facilities has also been augmented to reduce the risk of further burglaries.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.