Tri-State Surgical Associates in Elkton, Maryland recently notified patients of a disclosure breach involving their PHI.
According to a letter sent by Drs. Lowe and Vaidy, when a physician left their practice in May, he reportedly asked a staff employee for patient contact information so that he could notify patients of his new practice location. The staff member, without consulting with anyone as to the appropriateness of the request, complied and gave the physician a printout with patient contact information. TSSA discovered the breach on July 18 and notified patients.
Their notification letter, a template of which was submitted to the state, informed 433 Maryland patients that the physician may have acquired 15 types of information about them, including their Social Security number, date of birth, and insurance information, depending on what information the practice maintained about them. Patients were advised to place fraud alerts on their credit reports and to take other steps to protect their credit.
To their credit, TSSA took a number of steps after they became aware of the disclosure, including, but not limited to (1) notifying the physician that acquisition and use of the information violated HIPAA and requesting return of the data and destruction of any copies, and (2) suspending employees’ ability to generate patient lists from their computer system.