HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NRAD Medical Associates Reports 97K-Patient HIPAA Breach

NRAD Medical Associates has announced that it has suffered a major security breach which has compromised the personal and medical data of up to 97,000 of its patients.

The Garden City, NY healthcare provider has issued breach notification letters to all affected patients – as required by the HITECH Act and HIPAA breach notification rule – to warn them that their records have been inappropriately accessed by a former employee. The employee in question was a radiologist who is alleged to have “accessed and acquired” up to 97,000 records on or around April 24th, 2014 by gaining access to NRAD’s billing systems.

While it would appear that the radiologist took the data for personal or financial gain, NRAD informed patients that it is not aware of any external misuse of the information that the employee acquired and it believes patients face only a very low risk that their medical and health information will be used for fraudulent purposes.

NRAD confirmed that as soon as it became aware of the breach it took rapid action to mitigate any damage, and also terminated the unnamed radiologist’s employment contract. Breach notification letters were sent to all affected individuals by post and a notice of the HIPAA breach was posted on its website.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In response to the security breach NRAD claimed it had already implemented “enhanced security safeguards” on its billing and patient databases” although it did not mention specifically what those measures were. Since the data is believed to have been copied, patients have been exposed to a very low but “unacceptable” risk according to the NRAD breach letter.

No credit card numbers or financial information is believed to have been accessed, although Social Security numbers, dates of birth, health insurance numbers, diagnosis and procedure codes were present in the files along with some personal information.

As a precaution against identity and medical insurance theft, patients have been warned to sign up to a credit monitoring service and to check their finances closely over the coming months for any signs of fraud. Advice was included on how a free credit report can be obtained and all recipients of the letter will be provided with 12 months of Equifax credit monitoring services free of charge.

The security breach has been reported to the Office for Civil Rights and an investigation is likely to be conducted to assess whether HIPAA Privacy and Security Rules had been followed. NRAD could potentially face a stiff financial penalty if it had not implemented the necessary safeguards to protect the electronic health information of its patients prior to the breach occurring.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.