The Florida physician network, Aegis Medical Group, has started notifying 9,800 patients that their protected health information may have been accessed by a former employee. That individual is understood to have attempted to sell patient records to third parties suspected of being involved in identity theft and fraud.
Aegis Medical Group was informed by law enforcement on September 11, 2019 about the employee. The law enforcement investigation determined that the employee attempted to sell the data of just two patients. Working with law enforcement, the physician network determined that the records of up to 9,800 patients were potentially accessed by the employee between July 24, 2019 and September 9, 2019.
The information contained in the records was limited to first and last names, dates of birth, account numbers, postal addresses, diagnosis information, and Social Security numbers. Approximately 75% of the records that may have been accessed were physical records rather than electronic copies.
Following notification by law enforcement, Aegis Medical Group immediately terminated the employee. It is unclear at this point in time whether the former employee has been charged.
Due to the nature of data exposed, all affected patients have been advised to monitor their accounts, explanation of benefits statements, and credit card statements for signs of misuse of their information and have been told about other steps they can take to prevent identity theft and fraud. Complimentary credit monitoring and identity theft protection services are also being provided.
Aegis Medical Group has confirmed that all physical records were stored properly although, to improve security, physical records are now being converted to digital formats as digital records are easier to secure and monitor for unauthorized access. Employees have been notified about the incident, told about the consequences of improper PHI access, and the importance of maintaining the confidentiality and security of patient records.
The post Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization appeared first on HIPAA Journal.