DJO Global PHI Breach Due to Missing Forms Signed by Patients

PHI Breach Due to Missing Forms

DJO Global provides medical devices to help patients maintain and regain natural motion. A data breach occurred in DJO Global which exposed some patients’ information to unauthorized persons. The potentially affected patients include those who got a DJO Global device in the Urgent Care Site emergency room, the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV from July 17 to October 16, 2017. The patients should have signed a DJO Global Patient Product Agreement when they received the devices and sent the forms to DJO Global. But one batch of the forms was not received.

The forms should have been collected by an employee from St. Rose Dominican Hospital and brought to DHL to be delivered to DJO Global. But the forms were lost either during collection from the hospital or during delivery to DHL.

The information printed on the forms include: names, addresses, phone numbers, birth dates, name and location of physician, product order date, product description, date of injury, diagnosis code, health plan information and health plan identification number. When patients use Social Security number as patient identifier, this information was also included.

There was no report received that indicated the misuse of patients’ exposed information. But it is possible that a third party obtained the forms and data misuse is possible. To protect the patients from potential fraud, DJO Global offered them free credit monitoring services for one year. It is recommended that they obtain copies of their credit reports, check their credit files and Benefits statements for suspicious activity.

In response to the data breach, DJO Global changed its policies and procedure for delivery of information. New quality controls were implemented to prevent future breach incidents. Its vendors of medical devices also received additional training for handling and securing patient PHI. The covered entity already mailed notification letters to patients impacted by the incident, the Department of Justice and the Department of Health and Human Services’ Office for Civil Rights.