Patient Privacy News

Patient Receipts With PHI Stolen, Recovered From Doctor’s Office

Stolen office receipts at a California doctor's office contained some patients' PHI.

A California doctor's office is notifying patients of a health data breach.

Source: Getty Images

By Lisa Gentes-Hunt

- Sierra Nevada Primary Care Physicians (Sierra Care Physicians) of California began notifying patients of a data security incident that involved the theft of office receipts containing some patients’ PHI.  

On July 16, Sierra Care Physicians began mailing out notifications to impacted patients.  

The office also notified the California Office of the Attorney General of the breach on July 16, according to the Office of the Attorney General’s website. 

“We are writing to inform you of a data security incident experienced by Sierra Nevada Primary Care Physicians (Sierra Care Physicians) that impacted a limited amount of your protected health information (PHI), including your name and credit card information,” states a notification letter mailed to affected patients.  

“Your medical record and any treatment information was not impacted and remains secure. We take the privacy and security of your information seriously, and sincerely apologize for any concern or inconvenience this may cause you.” 

According to a data security incident notice published on the Sierra Care Physicians’ website, the District Attorney’s office informed them on May 18 of the theft and recovery of the receipts. 

“On May 18, 2021, the District Attorney’s office informed Sierra Care Physicians that they had recovered paper receipts belonging to Sierra Care Physicians during an arrest,” the notices states. “The receipts were from the period of January 1, 2019 to March 20, 2019. Sierra Care Physicians accepts payments at the front desk at the time of treatment, over the phone, or via mail.” 

The statement notes that patient payments processed at the doctor's office front desk include the payer’s name, name of the practice, the amount charged, and the last four digits of the card used for payment.  

“If payment was made by phone or mail, then the payor’s name, credit or debit card number, expiration date, CVV number, signature, name of practice and amount charged was present on the receipt,” it notes.  

The physician's office stated that it is implementing changes to prevent another incident from happening again. 

“Although we took steps to protect this information prior to the incident, we had already taken steps to enhance our security of this information before we received the call from the District Attorney’s office,” the letter states. “All receipts are stored in a locked room that only two people have access to, and credit or debit card numbers re blacked-out on the receipts.” 

Misuse of patient information is unlikely; however, the notices states that it is providing affected patients with “identity theft protection services through IDX, the data breach and recovery services expert. IDX identity protection services include: 12 months of CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.” 

Patients with questions or concerns about the data breach can call 800-939-4170, Monday through Friday, from 5am to 5pm PST.   

“Your trust is a top priority for us, and we deeply regret any inconvenience or concern that this matter may cause you,” Mara Berezniak, Sierra Care Physicians Board President, stated in the patient letter.