Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants

The covered entity (CE), Valley Anesthesiology Consultants, Inc., d/b/a Valley Anesthesiology and Pain Consultants, was acquired by Sheridan Healthcorp, Inc., and became its subsidiary. A third party may have gained unauthorized access to the CE’s computer systems on March 30, 2016, affecting 88,590 individuals. The types of electronic protected health information (ePHI) that were potentially accessed included demographic and clinical information. In response to the breach, the CE immediately disabled the account through which unauthorized access was potentially gained. A forensics firm investigated the breach and reported that approximately nine additional foreign internet protocol (IP) addresses attempted to use remote desktop protocols to access various parts of the CE’s computer systems using accounts with administrator privileges. The CE “blacklisted” these IP addresses as the investigation continued in order to allow the firewall to block any attempts to access the electronic health record program through the remote desktop protocol. The forensics firm also identified fifteen suspicious local accounts and three administration accounts that were potentially compromised. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice in accordance with the Breach Notification Rule. OCR provided technical assistance regarding the CE’s obligations to conduct a comprehensive and current security risk analysis and implement a corresponding risk management/mitigation plan to address any findings. OCR also provided TA regarding the CE’s obligations to document evidence of its implemented security awareness training program, to include training material (not just email reminders), and a record of completion by workforce and management. Additionally, OCR stated the expectation that the CE clarify why non-ePHI applications are not governed by the same user access review procedures.
Location of breached information: Network Server
Business associate present: No