DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Stephenville Medical & Surgical Clinic​ notifies patients after data sent to another patient in error

Posted on May 31, 2017 by Dissent

I wonder if this incident really occurred on May 19, 2016, or if that was a typo and they meant to write “2017.” Their press release:

Stephenville, Texas, May 31, 2017 / Stephenville Medical & Surgical Clinic, P.A. (SMSC) , a multi-specialty clinic serving the Stephenville, Texas area, disclosed it was involved in a data “breach,” related to inadvertently emailing an archived list of patients to a single individual.  The incident occurred May 19, 2016, when an individual requested the clinic email a blank medical record release form.  Rather than emailing the blank form, an employee in the Medical Records Department mistakenly emailed a spreadsheet containing a list of former patients, most of whom had not been seen at the clinic for more than 9 years. The recipient opened the document that evening and determined it was not the form requested.  The recipient immediately deleted it.  The next morning, the individual contacted the clinic to report the error.  

The spreadsheet included patient’s name, date of birth, medical record number, and, for some patients, the date the patient last visited the clinic.  For many patients, the list did not include a full date of birth or information about the date last seen in the clinic.  The medical record number is unique to SMSC and has no potential use except at this facility.

Importantly, the list did not include sensitive medical or financial information. It did not include diagnoses or what providers the patients saw. It did not include addresses, phone numbers, credit card numbers, insurance information, or social security numbers. Thus, it is unlikely the individual receiving this list could use the information to perpetuate identity theft or any other fraudulent activity.  It is also important to note that SMSC was not hacked. No records were stolen.  This incident was the result of accidental human error.  And again, no sensitive medical or financial information was included.

SMSC brought in an independent firm to conduct an assessment of this incident, ultimately concluding the incident posed little, if any, risks to the patients involved.  During the course of the investigation, the recipient fully cooperated, including meeting with representatives of the outside firm on multiple occasions, signing an affidavit regarding the incident, and ensuring the information was deleted from the “deleted” folder of the computer.  The recipient is a long-time patient of the clinic and believed to be honest and trustworthy – conclusions that the outside investigation also made.  SMSC has no evidence that any of the data provided to the recipient has been or will be used or misappropriated.

Letters to potentially affected patients are being mailed.  These letters explain what occurred and offer identity protection and restoration services.

In the course of the assessment, SMSC mitigated potential harm to its patients by reasonably assuring itself that the recipient had deleted the email and would not use or misappropriate anyone’s information.  The employee who made the mistake was terminated.  SMSC also changed how the information is stored to prevent this type of incident from occurring in the future.  Clinic employees undergo yearly training to ensure they understand and maintain patient privacy and data security.

SMSC understands the importance of safeguarding protected health information and takes that responsibility seriously.  The clinic is strongly committed to maintaining the privacy and security of all patient data.  

To Learn More

SMSC has established a dedicated-assistance line for anyone seeking additional information regarding this incident, as well as steps to better protect against identity theft. For the next 90 days, this assistance line can be reached at (888) 735-0505, Monday through Friday from 9 am to 9 pm EST.  

Identity Protection Tips

SMSC recommends potentially affected individuals check their credit reports and account statements regularly for suspicious activity.  SMSC also recommends potentially affected individuals consider enrolling in the complimentary identity protection services described in the letter.  

SOURCE: Stephenville Medical and Surgical Clinic

No related posts.

Category: ExposureHealth DataInsiderU.S.

Post navigation

← Former Tufts Health Plan employee sentenced for stealing patient info
Woman stole info of 150 patients at Charlotte area medical practice →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.