It seems that Bay Area Chiropractic Center LLC had a breach in 2015 that they first reported to Oregon this month. The breach occurred between June 1, 2015 and August 31, 2015, and was discovered on December 10, 2015. Affected patients were notified on December 22, 2015. Why they are first reporting this to Oregon is unclear to this blogger.
According to the notification letter to patients, BACC discovered that a substitute doctor who had been working for them had acquired patients’ personal information, including names, addresses, and telephone numbers for unauthorized purposes. After terminating employment with them, the unnamed doctor then reportedly contacted BACC’s patients to tell them that BACC was closing its doors and their care was being transferred to him. That was not the truth, of course, and the matter was reported to Coos Bay Police. Of note, BACC found out about the substitute doctor’s theft of patient information from the doctor’s former business manager, who reportedly contacted them and told them that their patient data had been in a Word document on a flash drive and stored in a cell phone that the doctor subsequently disposed of.
Disappointingly, BACC’s notification letter to patients simply apologizes and assures them that they have policies in place to protect patient privacy. The letter does not indicate how they would prevent this from happening again.
I do not see this incident on HHS’s public breach tool, so it’s not clear how many patients may have been impacted.