Add Mary Ruth Buchness, M.D. to the list of medical practices that have reported a breach in 2015. On December 12, she submitted a copy of her notification letter to patients to the Vermont Attorney General’s Office. A copy of the notice is also prominently linked from her web site.
Dr. Buchness writes, in part:
Specifically, on November 23, 2015, an email was sent to a number of current patients of our practice which was intended to include as an attachment a form of patient survey to help us improve our service to our patients. However, instead of the survey form, the email was inadvertently sent with an attachment that included a spreadsheet of demographic information regarding a number of our patients, which may have included you, containing names, social security numbers, dates of birth, gender, dates of last service and next appointment, telephone numbers, addresses, email addresses, marital status, head of household, employer/occupation and race/ethnicity.
The network administrator immediately shut down the mail server when the mistake was notice, but it appears that approximately 130 emails were sent. “Of those one hundred thirty e-mails, sixty were successfully delivered and received,” Dr. Buchanan writes.
The exact number of patients who had data in the spread sheet was not disclosed in the letter.
Dr. Buchanan has taken a number of steps to prevent a recurrence of this type of problem and to improve privacy and security safeguards:
To protect against further breaches, we have retained the services of a privacy and security consultant to review and update all office procedures, to assist with implementing additional technical safeguards to prevent sending protected health information unintentionally through our e-mail system, and to provide additional HIPAA training to all employees. Furthermore, pending the implementation of additional procedures designed to prevent such an error from recurring, we have instituted an outright ban on any emails to multiple recipients.
Patients who were notified of the breach were also offered complimentary services with AllClear ID.
Update: This breach was subsequently reported to HHS as affecting 14,910 patients.