Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.
On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.
The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.