Patient Information Breach At The MED

[Erica Absetz <erica () riskbasedsecurity com>]

http://wreg.com/2013/05/10/patient-information-breach-at-the-med/

(Memphis) The MED is alerting some patients who were treated at their
outpatient facility that their personal information may have been
accidentally sent out in one of three emails sent out by an employee.

That information includes the social security number, phone number and
reasons for therapy.

This impacts almost 1200 patients who were treated here between May of
2012 and January of 2013.

Michael England says with all the information you’re required to give
it`s no wonder personal information gets leaked from time to time.

“They have to closely guard that information! You could invent me ten
times over with the information that`s given out as a patient here,”
said England.

The MED says this happened because an employee accidentally attached a
list of medical records to an email and sent it out.  England says
that`s no excuse.

“Can they come up with a computer program that will guard that
information and not allow it to be attached unless you go through an
elaborate set of circumstances,” said England.

This patient just got out of the ER and says this is a sign of the times.

The MED is offering one year of free credit monitoring for them to
make sure their information isn’t improperly used.

The MED says they are working with the organizations that received
those emails to make sure none of the information is compromised and
they say they have reason to believe most of the emails we`re deleted
without any problems.

Regional Medical Center Notifies Patients of Privacy Issue

Memphis, Tenn. — Regional Medical Center (medical center) is committed
to protecting our patients’ privacy. We take patient privacy very
seriously, and it is important to us that our patients are made aware
of any potential privacy issue.

On March 15, 2013, the medical center discovered that three unsecure
emails with an attachment containing the personal information of
outpatient physical therapy patients who received services between May
1, 2012 and January 31, 2013 were sent out. The emails were sent on
October 29, 2012, November 1, 2012 and February 4, 2013, and the
attachment included personal information, including the patient’s
name, patient account number, date of birth, social security number,
home phone number, and type/reason for outpatient physical therapy
services.

The medical center has been and will continue to work closely with the
company that received the emails, and it is believed the emails were
deleted and not further used or disclosed at the time of the incident.

The medical center believes this was an innocent employee mistake and
has not received any indication that patient information has been used
or further disclosed in an inappropriate manner by anyone. However, in
an abundance of caution, the medical center is notifying affected
patients of this incident by letter and has retained a specialty firm
to provide one year of free credit monitoring services to affected
patients. While the medical center maintains a robust privacy and
security compliance program, it also has taken internal steps to help
ensure this does not happen again.

The medical center understands the importance of safeguarding patient
privacy and takes that responsibility very seriously. It regrets this
incident occurred and is committed to preventing such occurrences in
the future.

Patients who received treatment at the medical center’s outpatient
physical therapy unit between May 1, 2012 and January 31, 2013 may
contact 1-855-716-3627 for more information.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.