Florida-based Unity Recovery Group is notifying patients of a HIPAA breach that involved disclosure of their protected healthy information to providers outside their network without prior written consent.
The breach apparently began in April 2014 and continued for a full year, until it was discovered in April of this year, as their letter explains:
We have recently learned that your personal information, held by Unity Recovery Group, Inc. and/or its affiliated companies, including Starting Point Detox, LLC, Lakeside Treatment Center, LLC, Changing Tides Transitional Living, LLC, and Unity Recovery Center, Inc. (collectively “Unity”), was improperly disclosed to one or more recovery and/or rehabilitation service providers, unaffiliated with Unity, without your prior written consent.
At Unity, we take patient privacy very seriously and it is important to us that you are made fully aware of a potential privacy issue that may affect you. In April 2015, we learned that your personal information, which may include your name, address, date of birth, address, telephone number, social security number, e-mail address, insurance information, and/or certain health- related information, was impermissibly disclosed. The incidents giving rise to this notice occurred between April 2014 and March 2015 and involved the disclosure of your personal information to one or more unaffiliated recovery and/or rehabilitation service providers, without your prior written consent. While we have not received any indication that the information disclosed has been accessed or used for any other purpose, we are required to obtain your prior written consent before disclosing your personal information, with limited exception.
Those impacted are being offered services with ID Experts. A call center has also been set up for those who have questions about the incident.
Update: According to their notification to the New Hampshire Attorney General’s Office, the breach impacted fewer than 1,000 patients, total, and no state had more than 500 patients impacted.