mdINR LLC

The covered entity (CE), MDINR, LLC, discovered that on November 3, 2014, an information technology employee sent an unsecured email to a manufacturer representative. The email had an attached spreadsheet that included 1,859 patients’ protected health information (PHI). The PHI in the attached excel spreadsheet included patients’ names, billing account numbers, patients’ reporting dates, internal site codes, and the address of the CE-affiliated facility that delivered the equipment. Following the breach, the CE sanctioned the employee who caused the breach with a written warning. The CE confirmed its practice of providing HIPAA Training to all new employees within 30 days of hiring and safeguarding data by providing system access to employees based on an employee’s job title or role. The CE provided breach notification to HHS, and notice to the 1,859 affected individuals. Media notice was not provided due to fewer than 500 affected individuals being in any one state. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Email
Business associate present: No