Sometimes I see breaches on HHS’s public breach tool but can find no web site for the covered entity or any substitute notice online. Such was the case with an entry for “Daniel A. Sheldon, M.D., P.A.,” an orthopaedic surgeon in Florida. The breach tool entry indicated that on September 16, 2015, the doctor had reported a hacking/IT incident that affected 2,075 patients. And according to the entry, no business associate was involved.
OCR recently updated the entry to provide this summary of the incident (link added by DataBreaches.net):
On May 18, 2013, OCR received an anonymous complaint alleging that the protected health information (PHI) of the patients of the covered entity (CE), Dr. Daniel Sheldon, M.D., P.A., was accessible on the internet via Google. OCR confirmed the allegations when it identified web search results containing private medical records from a website associated with the practice. Following an investigation by OCR, the practice submitted a breach notification to HHS on September 16, 2015, in which it reported that the PHI of approximately 2,075 patients was potentially viewable online, including addresses, dates of birth, names, and clinical information. In response to the incident, the CE contacted its electronic medical record (“EMR”) hosting company, IOS Health Systems (“IOS”), which immediately secured the information and conducted an internal investigation. IOS changed the file locations of the practice’s EMR records, renamed the file structures, obfuscated file directories, conducted standard security inspections, and began an audit trail review to determine any unauthorized access to the CE’s records. Additionally, the CE ensured that users did not share any documents or links via non-secure methods, changed all passwords for all users, confirmed username and password confidentiality policies with all employees, ensured proper antivirus and spyware applications were installed, and verified that its firewall was properly configured with the latest version of security upgrades. In response to OCR’s investigation, the practice provided evidence that provided breach notification to HHS, affected individuals and the media, and offered identity theft protection services. It also terminated its relationship with its EMR system hosting company, IOS, and entered into a revised business associate agreement with a new EMR hosting company. Finally, the CE created new policies regarding its breach notification procedures.
If OCR was notified in May of 2013, that seems like a long lag to getting this addressed. Perhaps that was a typo on OCR’s part?