DJO Global PHI Breach Due to Missing Forms Signed by Patients

PHI Breach Due to Missing Forms

DJO Global provides medical devices to help patients maintain and regain natural motion. A data breach occurred in DJO Global which exposed some patients’ information to unauthorized persons. The potentially affected patients include those who got a DJO Global device in the Urgent Care Site emergency room, the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV from July 17 to October 16, 2017. The patients should have signed a DJO Global Patient Product Agreement when they received the devices and sent the forms to DJO Global. But one batch of the forms was not received.

The forms should have been collected by an employee from St. Rose Dominican Hospital and brought to DHL to be delivered to DJO Global. But the forms were lost either during collection from the hospital or during delivery to DHL.

The information printed on the forms include: names, addresses, phone numbers, birth dates, name and location of physician, product order date, product description, date of injury, diagnosis code, health plan information and health plan identification number. When patients use Social Security number as patient identifier, this information was also included.

There was no report received that indicated the misuse of patients’ exposed information. But it is possible that a third party obtained the forms and data misuse is possible. To protect the patients from potential fraud, DJO Global offered them free credit monitoring services for one year. It is recommended that they obtain copies of their credit reports, check their credit files and Benefits statements for suspicious activity.

In response to the data breach, DJO Global changed its policies and procedure for delivery of information. New quality controls were implemented to prevent future breach incidents. Its vendors of medical devices also received additional training for handling and securing patient PHI. The covered entity already mailed notification letters to patients impacted by the incident, the Department of Justice and the Department of Health and Human Services’ Office for Civil Rights.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/