Share this article on:
Pedes Orange County Inc., a California healthcare provider specializing in treatments for vascular disease, is alerting some of its patients that a physician accessed their medical records, without authorization, and provided some of that information to an attorney.
Pedes shares its facilities with another medical group, which conducts surgical procedures at the facility during the week. A scheduling tool is also shared with other physicians that use the same facility.
On November 14, 2017, Pedes became aware that a physician employed by a different medical group had accessed its electronic medical records database and viewed the records of some of its patients. Pedes did not provide authorization for the EMR to be accessed.
Pedes reports that the physician subsequently shared some of the information in the database with an attorney. After discovering the breach, the physician was contacted and Pedes has been working to ensure all copies of patients’ PHI that were obtained from its EMR system are securely destroyed and that no copies remain.
The types of information potentially compromised includes names, diagnoses, treatments, dates of service, and other treatment related data. No financial information or Social Security numbers were stored in the database and remained secure at all times.
While information was taken from the database, Pedes has no reason to believe any PHI has been misused. However, since the incident is classed as a security breach under HIPAA Rules, notifications about the breach must be sent to patients.
Although data misuse is not suspected, patients have been advised to take precautions and examine their Explanation of Benefits statements and other information from their health insurers for any medical treatments listed by not provided.
The incident has prompted Pedes to conduct a review of its security protocols, which will be updated to ensure that this type of security breach does not happen again.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of up to 917 patients was accessed and potentially disclosed.