3,775 Patients Informed of Unauthorized Access to a New York Physician’s Computer

Ruben U. Carvajal, MD, a doctor in New York, has started informing his patients that unauthorized individuals possibly viewed their protected health information (PHI). Dr Carvajal learned about the potential health data breach on January 3, 2018 upon receiving advice that the PHI of a number of his patients had been viewable on the internet. The breach was reported to the New York Police Department and the Federal Bureau of Investigation (FBI).

FBI investigators went to Dr. Carvajal’s office and examined the computer. It was confirmed on February 18, 2018 that an unauthorized person viewed the EMR software on his PC. A computer forensics expert meticulously investigated the nature and scope of the data breach. It was found that the unauthorized individual had viewed the doctor’s computer from December 16, 2017 to January 3, 2018 and potentially gained access to the EHR system, although that could not be confirmed.

The data stored on the doctor’s computer that was potentially viewed included the names of patients, addresses, dates of birth, health histories, diagnoses, treatment details, laboratory test results, prescription drugs, medical insurance details, insurance claims information, Medicare and Medicaid ID numbers, and in some cases, Social Security numbers.

Patients were mailed breach notification letters on July 17, 2018. Dr. Carvajal offered his patients credit monitoring and identity theft protection services at no charge. The physician has already taken action to improve security to prevent any further data breaches in the future. As per the data breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 3,775 patients were affected by the breach.