A recent update to HHS’s public breach tool shows that Western Regional Center For Brain And Spine Surgery reported a breach affecting 12,000 patients. The breach began on November 28, 2011 until June 29, 2012 and involved “theft, network server.”
A letter sent to patients, dated July 9, 2014, explains that on or about May 13 of this year, the Las Vegas-based practice received information from law enforcement that there had been a breach of personal health information from their billing files.
“A former employee who worked for us during 2011 and 2012 is now the subject of a law enforcement investigation relating to personal health information that the former employee is alleged to have stolen and used for fraudulent activities,” writes Robin Hasty, Office Administrator.
The types of personal health information involved in the breach included patients’ names, social security numbers, dates of birth, home addresses, and Western Regional Brain and Spine patient billing account numbers.
“Presently, we are unable to identify the specific patients whose personal health information was actually stolen nor do we know which of those patients whose information was stolen was also used for fraudulent activities,” Hasty writes.
Because of their lack of precise information, they notified everyone seen during the time period the employee worked there. They also advised patients to check their credit, bank, and insurance account reports on a regular basis and to place a fraud alert on their credit reports.
What they didn’t do, however, was offer patients any free credit monitoring services, nor tell them what kinds of fraudulent activities their information might have been misused for.
The practice was reviewing their policies, procedures, and technological safeguards in light of the incident and is cooperating with law enforcement in their investigation.