ManagedMed Inc. (A Psychological Corporation), based in Los Angeles, recently notified the California Attorney General’s Office of a breach involving patient scheduling information.
According to their July 17th letter to patients, submitted to the state on July 25, some patient scheduling information located in their computerized system had been viewed via an unsecured webpage by two non-ManagedMed people.
ManagedMed learned of the breach on May 13 and launched an immediate investigation that revealed that from approximately March, 2013 through May 15, 2014, it was possible for unauthorized individuals to access the calendaring system “in certain circumstances.”
Seth Hirsch, PhD, President of ManagedMed, informed patients that “An individual who knew the website address for the calendaring system could access patient scheduling information for the period between November 1, 2010 through May 15, 2014. In addition, with respect to a limited number of patients, it was possible for an unauthorized person to access the ManagedMed calendaring system by performing a Google search of a patient’s name and then clicking on a link to the calendaring system website.”
Information in the calendaring system included patients’ names, telephone numbers, names of care providers, limited notes, and the date of the appointment. “In certain cases,” Dr. Hirsch wrote, “the notes contain abbreviations about the general type of visit scheduled, for example ‘f/u’ (“follow up), ‘i/e’ (“initial examination”) or notes about medication or a test the patient was scheduled to take.”
Considering that this is a mental health facility, exposure of such information could be somewhat embarrassing or problematic.
No Social Security numbers or driver’s license numbers were accessible via the calendaring system and it was not possible to access patients’ actual medical records, which are not maintained on a computer, Dr. Hirsch explained.
The calendaring system was secured on May 15, and other than the two individuals who accessed it without authorization on May 13, ManagedMed is not aware of any other access to the system or any misuse of information.
No services were offered to the patients and they were given no advice. ManagedMed did apologize for the incident and reassure patients that the system was now secured.
You can read the notification here (pdf).
And no, this incident is not (yet?) up on HHS’s public breach tool. I’m wondering what they might do in this case as exposing information about patients at a mental health facility is pretty serious, even if only two people actually accessed the information.
Note: ManagedMed Inc. does business as Managed Med, Inc.