One of the breaches recently added to HHS’s public breach tool involved Multilingual Psychotherapy Centers, Inc.in Florida.
PHIprivacy.net spoke with them about the incident and obtained a redacted copy of their notification letter to patients.
According to their October 23rd letter and statements made to PHIprivacy.net, a server stolen during an office burglary contained 3,500 patients’ first and last names, addresses, telephone numbers, Medicaid numbers, and Social Security numbers. No diagnostic or clinical information was on the stolen server.
Those notified of the breach were advised to place fraud alerts on their credit reports, but were not offered any complimentary credit monitoring protection service or given advice as to how to protect themselves from medical ID theft. Patients with any questions were encouraged to call them.
A spokesperson for the center indicated that they believed the server was stolen for its hardware value and not for the information. They may be correct, but the server held enough data to support a tax refund fraud scheme (as well as medical ID theft), so patients should remain vigilant.
The letter does not state what steps the center is taking to harden its security to prevent a future incident of this kind, but their spokesperson informed this site that they added additional dead bolts to the server room door, and they plan to add interior and exterior cameras as well as additional glass-break devices. They also plan to add a lock system to physically secure the server to the work station. The center is also reviewing and enhancing their policies and procedures for IT security and data breaches.