Camelback Women's Health

In early September 2015, the covered entity (CE), Camel Back Women’s Health, discovered that a former employee retained of copies 1,564 patients’ documents to solicit the CE’s patients for her own practice. The types of protected health information (PHI) in the documents included names, addresses, social security numbers, dates of birth, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE asked the former nurse practitioner to return and/or destroy all of its patients’ PHI in her possession and hired a lawyer to ensure that the former employee signed an affidavit and return all of the documents. Additionally, the CE revised policies and procedures and retrained workforce members. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Paper/Films
Business associate present: No