Florida Digestive Health Specialists

A patient scheduler at one of the covered entity’s (CE) small subsidiary offices impermissibly accessed the electronic health record (EHR) system via a virtual private network (VPN) and took photographic images of patient data, which she tried to download for printing at Wal-Mart. She accessed the records of about 4,400 patients and photographed those of 430. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, social security numbers, and telephone numbers. The suspect behavior at Wal-Mart was investigated by the County Sheriff, who informed the CE of the breach. The CE provided partial breach notification to affected individuals, HHS, the media, and provided substitute notice on its website. Following the breach, the CE discharged the workforce member and terminated her access to the EHR. The CE updated its privacy and security plan and employee handbook. In addition, the CE improved safeguards by limiting access to its VPN to providers and administrators, and instituted routine weekly audits of EHR system use. After OCR began its review, the covered entity retrained the office manager and the provider who had been at the office where the breach occurred. As a result of OCR’s investigation the CE received technical assistance on the complete requirements for breach notifications.
Location of breached information: Desktop Computer
Business associate present: No