A breach of physical protected health information (PHI) has been reported by Associated Dermatology & Skin Cancer Clinic of Helena, MT, that has impacted 1,254 patients. The incident involved the theft of a journal that an employee of Associated Dermatology left in her vehicle on May 26, 2018. The journal was being used by the employee to record notes to help her provide care to patients in the future.
The journal contained some PHI including the patients’ names and ages, referring physicians’ names, notes on medical histories, reasons for consultation, and consultation notes. The patients whose PHI was included in the journal received medical services from Associated Dermatology between September 1, 2017 and May 24, 2018. Although there was no highly sensitive information that could be used for identity theft included in the journal, it is possible that the information could be used in a phishing or social engineering attack to convince patients to reveal further information that would enable an attacker to commit identity theft or fraud. Associated Dermatology has not received any reports to suggest that is the case, but patients have been told to be alert to the risk of such attacks.
Associated Dermatology has now implemented further safety measures to make certain all forms of PHI are secured and incidents of a similar nature will be prevented in the future. The covered entity has already reported the theft to law enforcement authorities and the Department of Health and Human Services’ Office for Civil Rights will be notified of the breach in the next few days.