HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Privacy Breach Reported by Wentworth-Douglass Hospital

Wentworth-Douglass Hospital in Dover, New Hampshire has started alerting patients to a privacy breach experienced by one of its vendors, Ambucor Health Solutions.

Ambucor Health Solutions provides a remote-monitoring service for cardiac devices for hospitals throughout the United States. Earlier this month, the company started notifying its clients of a privacy breach caused by one of its former employees.

Prior to leaving employment, the employee downloaded sensitive company data onto two flash drives. The data breach was discovered by Ambucor Health Solutions over the summer and an investigation was launched.

The incident was reported to law enforcement, and the subsequent investigation resulted in the flash drives being recovered in July.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

An analysis of the contents of the drives, which was completed in September, revealed the downloaded data included a range of electronic health information of cardiac patients from a number of the company’s clients, and included the protected health information of 775 patients of Wentworth-Douglass Hospital.

Social Security numbers, financial information, insurance information, and Medicare/Medicaid numbers were not copied to the flash drives so Wentworth-Douglass Hospital believes the risk of data being used to make fraudulent claims or steal identities is low. No evidence has been uncovered by law enforcement, Ambucor Health Solutions, nor Wentworth-Douglass Hospital to suggest any of the downloaded data have been used inappropriately.

However, out of an abundance of caution, all affected patients have been offered 12 months of identity theft protection services without charge. Patients will also be protected by a $1 million identity theft insurance policy.

The protected health information copied to the device included names, phone numbers, home address, race, Ambucor enrollment numbers, Ambucor enrollment dates, Ambucor technician names, patient ID numbers, Physicians’ names, testing data, medications, medical diagnoses, names of the practices visited, and details of the cardiac devices that had been fitted.

Ambucor Health Solutions has since taken steps to improve security to prevent future breaches of this nature from occurring, including conducting a thorough review and update of all HIPAA policies covering data security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.