It has been discovered that two former employees of Valley Family Medicine in Staunton, VA have inappropriately used details contained on a patient list, in violation of the practice’s stated policies and procedures.
The list of details was used to advise patients of Valley Family medicine that a new practice that was opening in the area. One of the former members of staff used the list to send postcards to Valley Family Medicine patients to tell them that a new practice, not connected to Valley Family Medicine, was opening. Patients were told that they would be welcome at the new practice.
The mailing was broadcast in mid-July 2017, although it was not discovered by Valley Family Medicine until September 15. The discovery lead to a full investigation of the breach, which confirmed that the only details used by the former employees was the data contained on the list. Thankfully, that information was restricted to names and addresses. No other PHI was taken or used by the former employees.
These two former people member are no longer employed at the practice and the list has now been rescued. Valley Family Medicine is happy that there have been no further improper misuses or disclosures of the information, and that no other copies of the list exist.
As per HIPAA Rules, the breach has been made known to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights (OCR).
All 8,450 people on the list have been sent a breach notification letter outlining the details of the breach and advised that there should be no further consequences for patients of the practice.