A media/substitute notice:
The office building and office suite of Jeremiah J. Twomey M.D., was vandalized during the weekend of December 31, 2011, at which time an external drive containing personal and confidential health information of individuals was stolen from Dr. Twomey’s office. Unauthorized use of this data is unlikely. Any individuals who believe they may have been affected by this incident are asked to please contact the response team of ID Experts at 1-877-283-6561.
The independent investigation indicated that names, addresses, medical conditions, diagnoses and, in some instances, Social Security numbers and dates of birth, were contained on the stolen hard drive. Dr. Twomey has encrypted all data that is maintained electronically to ensure that personal and confidential health information is stored and handled in a secure manner. Individuals with questions regarding this incident can visit http://www.jjtwomeymd.com/index.htm .
In addition to procedural changes, Dr. Twomey has contracted with ID Experts® to provide an extensive level of services to protect individuals from personal and medical identity theft. These services include: a one year FraudStop(TM) Healthcare Edition membership that provides fraud resolution services, education materials, insurance reimbursement for expenses related to resolve an identity theft situation; and a Healthcare Identity Protection Toolkit(TM) with comprehensive information and resources on medical identity theft.
This press release is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act(HIPAA). The medical offices of Jeremiah J. Twomey, M.D., F.A.C.P. has notified potentially affected individuals, clients, and the Department of Health and Human Services (HHS).
For Press Only:Jeremiah Twomey, M.D., F.A.C.P.1-877-283-6561
SOURCE ID Experts
“Unauthorized use of this data is unlikely.” is the second sentence in the notice? Seriously, ID Experts? You should know better.
If my medical card from the insurance company has my name and member id on it… is that considered PHI?
If that info is held by a HIPAA-covered entity or business associate, yes, as far as I know.
““Unauthorized use of this data is unlikely.” is the second sentence in the notice? Seriously, ID Experts? You should know better.”
Well, the information *was* encrypted (from the description, it sounds like full disk encryption)….maybe they should have mentioned that in the same sentence. I must admit I was taken a little aback when I read that same passage, encryption or no encryption.
There’s encryption and then there’s encryption. If the data or disk were encrypted to NIST standards, there would be no mandatory notification. Since they’re notifying, I made the assumption that this is not to NIST standards. I could be wrong of course, but…
In any event, whenever an entity starts out by minimizing risk, it makes it less likely that recipients will take action to protect themselves. And as study after study have shown, people who receive breach notices are more than 4 times as likely to become victims of ID theft within the next year or so. So yeah, I don’t like seeing entities minimize – especially right off the top.