United MMC will provide updates regarding the breach of information detailed in the letter below. Transparency in this matter is our utmost concern.
7-22-2017 We have had a few phone calls and emails with questions regarding the notification sent out yesterday. We want to address a couple questions that patients have asked. Please feel free to contact us and we will respond accordingly during normal business hours.
Q: Are my records out there and does she have them.
A: Since the termination date, access to patient records were revoked. Access to your EHR account is defined by strict user access levels so that information doesn’t fall into the wrong hands. Our records management software is cloud based on “off-site” and uses world-class data centers feature biometric security, data backups, redundant power supplies and continuous surveillance systems. All your data transfers with us have the highest level of SSL/TLS encryption against malicious parties.
Q: Why the serious notification?
A: We wanted to notify patients in the interest of being 100% transparent. When sending a notification, there are very specific parameters that we are required to address which is why it was lengthy and tried to cover all questions.
Q: So if it was not patient records, what was it?
A: The information that is in question is isolated to just PATIENT NAME, NUMBER and EMAIL.
Q: How was she able to access the information?
A: We used a scheduling application that allowed for provider to know basically when appointments started and ended for the day. When terminated the provider was instructed to terminate the data from the schedule application.
Q: So it was just the provider I saw, not any outside party?
A: Absolutely, this was the actual licensed doctor that you saw when getting your evaluation. No outside access has been permitted or used and we believe the maliciousness was only for competition of the evaluations.
Q: I have never been contacted, what now?
A: Great! Then there is nothing to worry about and she most likely did not have your name, number or email.
Q: What are you doing about this?
A: The procedure is straight forward as dictated by the investigator. We provide notification which is why you received the email from us. We tried to be as transparent as possible by just sending it to everyone. We worked with the investigator to make sure all our systems were in fact compliant etc. which has been established. We are now in the process to make sure the name, phone number and email addresses have been deleted from her possession.
Q: How did you find out?
A: We had a patient communicate that there was contact made from a previous provider on 7-19-2017 this past week. We asked this patient if they provided this information to the provider in her appointment setting which she indicated that she did not. We then determined that we should inform patients and contacted the investigating body.
Q: Ok, so nobody has the records outside of the licensed provider I saw at my appointment… there is nothing I need to do and you are taking care of this?
A: We are taking all the steps that are lined out in an event like this. Normally it consists of records, birth dates, social security info, diagnosis’s etc when there is a HIPAA breach. With this, the investigator indicated it was straight forward contact info and the only concern was making sure that the information was in fact deleted at this date. Once we showed our compliance was up to date and par with the requirements it is just the deletion of the information that we are confirming. We are working on the information being deleted and will send out a notification accordingly. Please check back here for updates.
Breach Notification 7.21.2017