Rotech Healthcare Inc.

Rotech Healthcare, Inc., the covered entity (“CE”), discovered that medical records from its electronic medical records system were printed, removed from the office, and recovered by the Secret Service. The breach affected 957 patients in 27 states. There were less than 500 individuals affected in any given state. The records involved in the breach contained patients' names, social security numbers, patients' numbers, dates of birth, dates of death, addresses, phone numbers, and the names of the Rotech subsidiary companies from which the individual received healthcare services. The CE sent timely breach notification to HHS and to affected individuals, and posted notification to its website. The CE also offered two years of free identity protection to affected individuals. In response to the breach, the CE revised its data monitoring policies and procedures, revised physical safeguards in office locations with the highest risk factors for a future breach, and sanctioned the employees alleged to have been involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Paper/Films
Business associate present: No