Daniel A. Sheldon, M.D., P.A.

On May 18, 2013, OCR received an anonymous complaint alleging that the protected health information (PHI) of the patients of the covered entity (CE), Dr. Daniel Sheldon, M.D., P.A., was accessible on the internet via Google. OCR confirmed the allegations when it identified web search results containing private medical records from a website associated with the practice. Following an investigation by OCR, the practice submitted a breach notification to HHS on September 16, 2015, in which it reported that the PHI of approximately 2,075 patients was potentially viewable online, including addresses, dates of birth, names, and clinical information. In response to the incident, the CE contacted its electronic medical record (“EMR”) hosting company, IOS Health Systems (“IOS”), which immediately secured the information and conducted an internal investigation. IOS changed the file locations of the practice’s EMR records, renamed the file structures, obfuscated file directories, conducted standard security inspections, and began an audit trail review to determine any unauthorized access to the CE's records. Additionally, the CE ensured that users did not share any documents or links via non-secure methods, changed all passwords for all users, confirmed username and password confidentiality policies with all employees, ensured proper antivirus and spyware applications were installed, and verified that its firewall was properly configured with the latest version of security upgrades. In response to OCR’s investigation, the practice provided evidence that provided breach notification to HHS, affected individuals and the media, and offered identity theft protection services. It also terminated its relationship with its EMR system hosting company, IOS, and entered into a revised business associate agreement with a new EMR hosting company. Finally, the CE created new policies regarding its breach notification procedures.
Location of breached information: Network Server
Business associate present: No