Valley Anesthesiology and Pain Consultants Reports 882,590-Record Data Breach

A potential breach of protected health information has been uncovered by Phoenix, AZ-based Valley Anesthesiology and Pain Consultants (VAPC). The records of 882,590 current and former patients and employees were potentially accessed by an unauthorized individual between March 30 and June 13, 2016.

Upon discovery of the intrusion, VAPC reported the incident to law enforcement and hired a leading computer forensics firm to conduct a full investigation. While it was confirmed that an individual had gained access to a system containing PHI, no evidence was uncovered to suggest that PHI had actually been accessed or copied. However, it was not possible to rule out the possibility that sensitive data were viewed. No reports of unauthorized data use have been received by VAPC at this moment in time.

The breached system contained a wide range of sensitive information on providers, patients, and employees. Patients affected by the security breach have had their names, dates of service, health insurer name and ID number, diagnosis and treatment codes, and treatment locations exposed. In some cases, Social Security and Medicare numbers were also exposed.

Employees affected by the breach have had their name, address, date of birth, Social Security number, bank account information, tax information, and financial information exposed. The system also stored information on providers, including names, dates of birth, credentialing information, Drug Enforcement Agency (DEA) numbers, professional license numbers, National Provider Identifiers (NPIs), tax information, bank account information, and other financial data.

All individuals affected by the breach are being notified of the security incident by mail. Individuals that have had their Social Security or Medicare number exposed are being offered 12 months of credit monitoring and identity theft protection services without charge. VAPC has already taken action to prevent future breaches, including revising its security processes and strengthening its network firewalls.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.