24 ON Physicians, PC/In Compass Health,Inc.

On December 1, 2013, a subcontractor of 20 ON Physicians PC/ In Compass Health Inc., Williamson Medical Center’s former business associate (BA), unintentionally made a computer server containing protected health information (PHI) potentially available for access on the internet. The PHI that was potentially available on the internet included the names, dates of service, charge amounts, and billing codes of 520 patients. The CE investigated and verified that its BA and its subcontractor had taken all necessary corrective steps to mitigate the breach. Specifically, the subject server was removed from public internet access, all data provided to the subcontractor was destroyed, and all cached pages were removed. Additionally, the CE worked with the BA to provide breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. Additionally, the CE reviewed and confirmed that all of its BA agreements contain provisions addressing subcontractors and data security and conducted an in-depth review of its risk analysis. A separate breach investigation was opened for the BA, 20 ON Physicians PC/In Compass Health Inc. OCR reviewed the BA agreement and Breach Notification Rule policy and determined that they were sufficient.
Location of breached information: Network Server
Business associate present: Yes