- Arizona-based Valley Anesthesiology and Pain Consultants (VAPC) reported that it discovered unauthorized access on one of its computer systems, which potentially caused the information exposure of 882,590 patients.
VAPC learned about the potential health data breach on June 13, 2016, but the unauthorized access may have occurred on March 30, 2016.
The computer system may have contained patient names, their providers' names, dates of service, places of treatment, names of health insurers, insurance identification numbers, diagnosis and treatment codes, and Social Security numbers in a few cases.
Provider information may also have been exposed, including included credentialing information, such as names, dates of birth, social security numbers, professional license numbers, Drug Enforcement Agency (DEA) numbers, National Provider Identifiers (NPIs), as well as bank account information and potentially other financial information.
Finally, certain employee information, including names, dates of birth, addresses, Social Security numbers, bank account information and financial information, such as tax information, may also have been on the accessed computer network.
“VAPC recognizes the importance of protecting the privacy and security of personal information, and regrets any inconvenience or concern this incident may cause,” VAPC said in a statement. “In addition to security safeguards already in place, VAPC is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security.”
Potentially affected individuals whose Social Security numbers or Medicare numbers were involved will be offered free credit monitoring and identity protection services.
There is no evidence that any patient information has been accessed or used inappropriately, VPAC added. However, notification letters began to be sent out to affected patients on August 11, 2016, and there is also a call center for those who have further questions.
Just last week, South Carolina-based Bon Secours Health System, Inc. announced that it experienced a security incident possibly affecting 665,000 patients.
In that case, a vendor inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.
Available files may have included patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information. However, medical records were not available on the internet.
“We deeply regret any concern this may cause our patients,” Bon Secours said on its website. “To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained.”