Share this article on:
NRAD Medical Associates has announced that it has suffered a major security breach which has compromised the personal and medical data of up to 97,000 of its patients.
The Garden City, NY healthcare provider has issued breach notification letters to all affected patients – as required by the HITECH Act and HIPAA breach notification rule – to warn them that their records have been inappropriately accessed by a former employee. The employee in question was a radiologist who is alleged to have “accessed and acquired” up to 97,000 records on or around April 24th, 2014 by gaining access to NRAD’s billing systems.
While it would appear that the radiologist took the data for personal or financial gain, NRAD informed patients that it is not aware of any external misuse of the information that the employee acquired and it believes patients face only a very low risk that their medical and health information will be used for fraudulent purposes.
NRAD confirmed that as soon as it became aware of the breach it took rapid action to mitigate any damage, and also terminated the unnamed radiologist’s employment contract. Breach notification letters were sent to all affected individuals by post and a notice of the HIPAA breach was posted on its website.
In response to the security breach NRAD claimed it had already implemented “enhanced security safeguards” on its billing and patient databases” although it did not mention specifically what those measures were. Since the data is believed to have been copied, patients have been exposed to a very low but “unacceptable” risk according to the NRAD breach letter.
No credit card numbers or financial information is believed to have been accessed, although Social Security numbers, dates of birth, health insurance numbers, diagnosis and procedure codes were present in the files along with some personal information.
As a precaution against identity and medical insurance theft, patients have been warned to sign up to a credit monitoring service and to check their finances closely over the coming months for any signs of fraud. Advice was included on how a free credit report can be obtained and all recipients of the letter will be provided with 12 months of Equifax credit monitoring services free of charge.
The security breach has been reported to the Office for Civil Rights and an investigation is likely to be conducted to assess whether HIPAA Privacy and Security Rules had been followed. NRAD could potentially face a stiff financial penalty if it had not implemented the necessary safeguards to protect the electronic health information of its patients prior to the breach occurring.