There is so much wrong with this one that although I give them great credit for admitting they had a breach four years ago that they first discovered, I find their notification quite concerning.
From The Pediatric Endocrinology and Diabetes Specialists, 5235 South Durango #103, Las Vegas, NV 89113:
On 11 January 2018, during an audit of our computer logs, we came across evidence that there was a breach of patient health information in our system.
The breach occurred on numerous days between 27 January 2014 until 7 February 2014. Information that appears to have been taken includes full name, date of birth, address, phone number along with email address, insurance payor, medical record number, diagnosis codes and clinical notes.
We feel that you do not need to take any proactive steps to limit any harm. The breach was 4 years ago, and we suspect it was to take patient data for recruitment to another medical facility in Las Vegas.
We are continuing to investigate what has been done. We do know who the suspects are, and we have reported the breach to the office of civil rights for investigation and for any criminal investigation should it be needed.
We have setup a toll free number that will be active until April 18,2018. If you have any questions you can call 1-866-369-6619 and leave a voicemail and we will get back to you.
We apologize for this. We take protecting your privacy very seriously. We are fully up to date on all HIPPA (sic) certifications and standards. Our staff is retrained annually on such standards. With Twistle we are on the cutting edge of HIPPA (sic) standards. This was a result of internal theft from a staff member – not an outside hacker selling your health data on the internet.
Thank you for your understanding.
So, okay, I don’t know that I agree with them that nothing needs to be done. If someone wandered off with your personal information and some insurance and medical information, then regardless of what The Peds suspects that former employee intended to do with it four years ago, where are those data now? Are they on a flash drive that is not encrypted? Are they on a CD sitting around gathering dust somewhere? Are they on another entity’s hard drive, waiting to be hacked by someone else?
Who has access to those data right now or could have access to it?
And what has The Peds done to prevent an insider breach of this type happening again in the future? Are they somehow trying to suggest that using Twistle is relevant to preventing this type of wrongdoing again?