KY: Owensboro medical practice reports patient data stolen by former employees

T.J. Parker reports:

An Owensboro medical group is investigating a data breach after learning that former employees allegedly stole information from about 3,000 patients.

Officials say they’re doing everything they can to protect their patients.

Director of Research for Owensboro Medical Practice, Timothy Hillard, says he found out former employees of Doctor Vora allegedly stole patient information three years ago.

Hillard believes the employees left to start their own business using the stolen information to contact patients to join them.

The medical group has since contacted its attorneys and began sending out letters to people whose information was taken.

Read more on 14News (WFIE).

Owensboro Medical Practice, PLLC and Research Integrity, LLC posted a notification on their web site. I am reproducing it below because it suggests a very different motivation for the theft than what Hillard told 14News, as cited above:

Public Notice
Owensboro Medical Practice, PLLC
Research Integrity, LLC

On or about July 24, 2014, Owensboro Medical Practice, PLLC, and its business associate, Research Integrity, LLC, learned that a spreadsheet containing protected health information was wrongfully copied and removed from the offices of Research Integrity by a former employee. This occurred despite the fact that only properly authorized persons at Research Integrity had access to the spreadsheet. The type of information contained on the database included patient names, addresses, telephone numbers, dates of birth, Social Security numbers and health condition(s). The spreadsheet had information of less than only 10% of the total number of Owensboro Medical Practice patients. At this time, neither company has reason to believe that the patient information will be used for identity theft or other identity fraud. We believe that the information is being used for research purposes by one of Research Integrity’s competitors.

Owensboro Medical Practice and Research Integrity are both investigating the incident and taking steps to ensure that patient information is secure. The companies are also pursuing the return of all hard copies of all information from the spreadsheet, the deletion of all computerized versions of such information on a permanent basis, and permanent injunctions against the persons or entities who had possession of the data from utilizing such data in the future. In compliance with HIPAA, Owensboro Medical Practice will alert the Department of Health and Human Services of this incident. Should you have any additional questions or concerns, please feel free to contact Michele Beyke of Owensboro Medical Practice at toll free number 844 639 2433.

At this point Research Integrity and Owensboro Medical Practice PLLC are not aware of any particular steps affected patients should consider taking secondary to the breach
which Research Integrity has discovered. Owensboro Medical Practice and Research Integrity have advised affected patients, however, that they should consider placing fraud alerts on their credit reports by contacting one of the three major credit bureaus, which are Equifax, Experian, and TransUnion, and that they should continue to monitor their credit reports.

Owensboro Medical Practice and Research Integrity sincerely apologize and regret that this situation has occurred. They are committed to providing quality care, including protecting the personal information of their patients, and they wish to assure those patients that they have policies and procedures in place to protect patient privacy.

Note that the public notice does not mention that the data theft occurred three years previously. That’s a long time for patients’ SSN to have been in others’ possession, and patients might want to know that. Nor does the notification reveal how the covered entity and business associate first learned of the breach.

This incident does not yet appear on HHS’s public breach tool.

Update: The incident was submitted to HHS under the business associate’s name as impacting 4,077 patients. Thanks to @VERISDB for pointing this out to me.