HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PRN Medical Services Notifies 2,200 of HIPAA Data Theft

According to a breach report issued to the Department of Health and Human Services’ Office for Civil Rights, PRN Medical Services, LLC – under the name Symbius Medical LLC – has suffered a HIPAA breach after five members of staff were identified as having accessed and stolen confidential and private records.

The information is believed to have been accessed, copied, and disclosed to a third party; a competitor of PRN Medical Services where the employees went to work. According to a statement issued by Symbius Medical, as reported by PHIPrivacy, the information is believed to have been stolen “in the weeks leading up to their resignations.”

The staff in question were former sales representatives and Symbius believes that the information was intended to be used, and may still be, to contact patients to attempt to sell them medical supplies. The data is not believed to have been taken for the purposes of committing medical or financial fraud, and is instead a case of sales representatives taking contacts with them when they change employer.

That said, this is theft of PHI and the persons responsible could be charged with unauthorized access of PHI, and could face time in jail for taking protected data with the intent of using it for personal gain.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The breach notice advises patients that actions have been, and continue to be, taken to prevent the use of the data. Symbius has obtained a court injunction against the individuals concerned to stop them from using the data, and has ordered them – and any other competitors – to return the information.

Patients have also been advised that Symbius is revising its policies and procedures to improve data security to prevent incidents such as this from occurring in the future. The company is intending to improve administrative, physical and technical safeguards to ensure that PHI is better protected.

There may be a risk of receiving sales calls or contact through the mail as a result of the data breach, although it is unlikely that any fraudulent activity will take place. However, individuals receiving a breach notice are being advised to take up the company’s offer of a year of credit monitoring services through Lifelock to ensure that if fraud does occur, it will be identified quickly and damage will be prevented.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.