In January 2015, Ronald D. Garrett-Roe, MD, a physician in Texas, notified HHS that 1,600 patients were affected by a hacking/IT incident involving a desktop computer. At the time, I could find no additional details on the incident, but now we have this somewhat puzzling summary of OCR’s investigation:
Alleged hackers gained unauthorized access to one or two hard drives on the desktop computers of the covered entity (CE), Dr. Ronald D. Garrett-Roe, affecting approximately 1,600 patients’ protected health information. The CE reported that the hard drive had been removed, all of the files copied, and the hard drive formatted, which caused all of the computer programs, the operating system, and many patient records to be erased. Dr. Garrett-Roe is no longer a covered entity.
Wait, what??? Maybe I need a “skeptical” category for breach categories.
And what exactly did OCR do to protect patients when told all this? Did they verify any of the claims through forensic investigation or require him to provide a forensics report?
Did they do nothing because he’s no longer a covered entity?
What really happened here, because that summary makes little to no sense, but if hackers really acquired patient data, where’s the notification and mitigation?