Pedes Orange County Inc is a healthcare provider in California that specializes in vascular disease treatment. Pedes notified some of its patients that an unauthorized physician accessed their medical records and provided the information to a lawyer.
The facility Pedes uses is shared with another medical group conducting surgical procedures. The physicians use a common scheduling tool to monitor the use of the same facility. Pedes discovered on November 14, 2017 that a physician belonging to a different medical group accessed and viewed some of its patients’ electronic medical records. The physician did not have authorization to access the EMR.
Pedes found out that the physician subsequently disclosed some of the information from the EMR to an attorney. Pedes contacted the physician and made sure that all copies of PHI he took from the EMR system are destroyed and no copies are retained. The information potentially exposed includes patients’ names, dates of service, diagnoses, treatment and related data. There was no financial information or Social Security numbers compromised.
Pedes believes that no PHI was misused. However, this incident is regarded as a security breach according HIPAA Rules. So patients need to be notified about the PHI breach. Patients were also advised to be cautious and to check their Explanation of Benefits statements and other medical treatments and health insurance information are without fraudulent activity.
Because of what happened, Pedes reviewed and updated its security protocols to make sure a security breach such as this does not happen again. The report submitted by Pedes to the Department of Health and Human Services’ Office for Civil Rights indicated that the PHI of up to 917 patients were viewed and potentially compromised.