Lawyers for Olartino Dyoco, M.D., a physician in California, are notifying his patients that some of their information was on computers stolen during an office burglary. The burglary was discovered on June 2. The stored billing information included:
Names and addresses, birth dates, telephone numbers, insurance numbers, treatment codes, and billing information”
The incident was reported to the Fresno Police Department; their report number 15-38894.
The notification letter, a copy of which was submitted to the California Attorney General’s Office, makes a somewhat interesting claim, however:
The circumstances that resulted in this breach were unforeseeable,
Why?
In any event, according to his lawyers, Dr. Dyoco
has heightened procedures and safeguards to prevent a recurrence of this situation. He added levels of encryption to his computer systems, and advised his staff with regard to security training anything to avoid this situation in the future.
“Added levels of encryption?” Was there any encryption at all? If there was encryption but it was not NIST-grade, then he would have had to report this, but it’s not clear from the letter whether there was any encryption to begin with.
Patients (or their parents) having questions can call the doctor’s lawyer, Christian Koster, of Schuering Zimmerman & Doyle, LLP, at the toll-free number provided in the notification letter.
Comment:
All in all, this letter would have come across much better, in my opinion, if it had been written as coming directly from the doctor, with an apology coming directly from him for the inconvenience and worry his patients may now experience. What do you think?
I also found the “heightened procedures and safeguards” interesting. With the exception of requiring employees to take laptops home each night or lock them to their desk, how would Security Training prevent a burglary in the future?
And shouldn’t credit monitoring have been mentioned since billing info was potentially accessed?
Credit monitoring isn’t necessary unless SSN are involved. If it’s card numbers/bank acct numbers that were stored, then just call the bank and alert them so they can cancel the acct and reissue new number, or they can flag the account to watch for suspicious activities.
That said, it would have been helpful for the notification to indicate what types of billing info were involved and to advise patients more specifically as to what steps to take.
Also, what about the risk of medical identity theft if insurance numbers were stored with names and DOB? Where’s the mitigation/advice for that risk?