Uncommon Care PA Informs 13,674 Patients of Potential PHI Breach

It has been a little over seven months since Bizmatics Inc., discovered malware on a server used for its PrognoCIS EMR tool and breach reports are still being issued to the Office for Civil Rights by the company’s healthcare clients. Two further healthcare providers have now announced they have been affected by the Bizmatics breach: Uncommon Care, PA., and the Lifewellness Institute.

OCR was notified of the breach of Uncommon Care patients’ data on June 21, 2016, although it has taken a while for the entry to appear on the breach portal and for a substitute breach notice to be uploaded to the Uncommon Care website. The breach notice explains that while the healthcare provider was notified of the potential breach in April 2016, it was not clear whether patients’ PHI had actually been viewed or obtained by unauthorized persons.

Uncommon Care attempted to determine the extent to which patients were at risk, but Bizmatics was unable to confirm whether the PHI of patients had actually been viewed, only that access to data was possible during the time that malware was present on its server. Uncommon Care reports that by May 28, 2016 Bizmatics was still unable to confirm whether its patients PHI had been viewed or accessed, only that unauthorized access to the system had occurred.

Since data was potentially accessed, Uncommon Care has now notified all 13,674 of its patients whose data were stored on the server that names, dates of birth, addresses, Social Security numbers, and medical diagnoses were potentially viewed or obtained in the incident. No evidence has since been discovered to suggest information was accessed, copied, or used inappropriately. Patients have been offered 12 months of credit monitoring services without charge as a precaution against improper use.

San Diego, CA-based Lifewellness Institute has notified 2,473 of its patients that their data may have been viewed by unauthorized individuals. Lifewellness Institute CEO & Founder Lee Rice, DO, also took the decision to offer patients a year of credit monitoring services to mitigate risk. Affected patients had their name, phone number, address, date of birth, marital status, insurance information, and Social Security number exposed, as well as some medical information. Similarly, no evidence was uncovered to suggest that any patients’ data were actually accessed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.