Share this article on:
Anchorage-based healthcare provider, Alaska Orthopedic Specialists, has alerted 553 patients about a breach of their protected health information. The healthcare provider is no longer in business, having closed its doors in March 2015.
While closing the business, it was discovered that a former non-physician member of staff had emailed the data of 553 patients to a personal email account, against company policy and without authorization. According to the defunct company’s breach notice, efforts have been made to secure the stolen data. It is not clear whether those data have now been securely, and permanently deleted.
The theft of data was reported to the Department of Health and Human Services’ Office for Civil Rights on November 19, 2015., although it has not been made public exactly what data were stolen or when the email was sent. The data were presumably emailed to the personal email account prior to the closure of the business.
The breach notice states that no evidence of disclosure of the data has been found and neither any evidence that those data have been used inappropriately.
All affected individuals should obtain free credit reports from each of the three credit bureaus and should check entries for any sign of fraudulent activity. EoB statements should also be obtained and checked for any sign of fraud.
Individuals have been now advised of the privacy breach and have been offered credit protection services to protect against identity theft and fraud as a result of the exposure of their PHI.
Responsibility to Keep PHI Secure and Confidential
Even if a healthcare provider closes the business the business owners still have a responsibility to keep all stored PHI secure until such time that it can legally be destroyed.
Paper records and physical images of patients, such as x-rays, must be shredded or otherwise permanently destroyed when no longer required. Electronic copies of data must be deleted, purged, and must be incapable of being reconstructed. NIST offers guidance on how this can be achieved in publication 800-88.
Should any data be obtained by unauthorized individuals, the covered entity still has a responsibility to alert affected individuals and the OCR, even if that company is no longer in business. The covered entity also has a responsibility to take steps to mitigate risk in the event of disclosure of those data until such time that the data is destroyed.