HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization

The Florida physician network, Aegis Medical Group, has started notifying 9,800 patients that their protected health information may have been accessed by a former employee. That individual is understood to have attempted to sell patient records to third parties suspected of being involved in identity theft and fraud.

Aegis Medical Group was informed by law enforcement on September 11, 2019 about the employee. The law enforcement investigation determined that the employee attempted to sell the data of just two patients. Working with law enforcement, the physician network determined that the records of up to 9,800 patients were potentially accessed by the employee between July 24, 2019 and September 9, 2019.

The information contained in the records was limited to first and last names, dates of birth, account numbers, postal addresses, diagnosis information, and Social Security numbers. Approximately 75% of the records that may have been accessed were physical records rather than electronic copies.

Following notification by law enforcement, Aegis Medical Group immediately terminated the employee. It is unclear at this point in time whether the former employee has been charged.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Due to the nature of data exposed, all affected patients have been advised to monitor their accounts, explanation of benefits statements, and credit card statements for signs of misuse of their information and have been told about other steps they can take to prevent identity theft and fraud. Complimentary credit monitoring and identity theft protection services are also being provided.

Aegis Medical Group has confirmed that all physical records were stored properly although, to improve security, physical records are now being converted to digital formats as digital records are easier to secure and monitor for unauthorized access. Employees have been notified about the incident, told about the consequences of improper PHI access, and the importance of maintaining the confidentiality and security of patient records.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.