MSO of Puerto Rico, Inc.

The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures.
\
\
\
Location of breached information: Paper/Films
Business associate present: Yes