Share this article on:
Denver, CO-based Lasair Aesthetic Health, P.C., has alerted 1,835 patients that their privacy was violated by a former employee who secretly emailed a limited amount of their protected health information to a personal email account.
The former Lasair manager used her mobile phone to login to her work email account on May 11, 2016 and sent documents and a list of patients to her personal email account. The patient list contained a limited amount of patients’ protected health information including full names and details of the amounts that each patient had spent on medical services at Lasair in 2015.
No highly sensitive data such as insurance information, Social Security numbers, credit card details or other financial information were compromised, although a couple of patients had photographic images (not including face shots) and treatment results emailed to the former manager’s personal email address.
Lasair discovered the privacy incident a day later on May 12, 2016., and launched an internal investigation. The employee was contacted and instructed to delete all patient information and company documents in her possession and not to disclose any information to any other individual. The employee confirmed that all information from Lasair has been deleted. Lasair is currently seeking an injunction to ensure that there will be no further use or disclosure of patient data should that not prove to be the case.
Lasiar pointed out in its substitute breach notice that the emailing of patient data was a clear breach of company policy as well as HIPAA Rules. The incident has now been reported to law enforcement and efforts are now being made to improve security to prevent similar breaches from occurring in the future.
The measures being explored include new technology to prevent documents and patient health information from being emailed outside the company network, or from being copied or moved. Additionally, Lasair is exploring new technology to monitor the network for any suspicious activity. The incident has also triggered a review of privacy and security policies and procedures.
Patients affected by the privacy incident were notified by mail on July 11, 2016.