Former Employees of Valley Family Medicine Found Responsible for Data Breach


Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies.

The patient list was created and used by the company to inform patients of a new practice that was opening in the area. In mid-July this year, one of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice advertised on the postcards.

This breach in patient confidentiality was not discovered by Valley Family Medicine until September 15. In accordance with HIPAA legislation, a full investigation was launched into the cause of the breach. The results of the investigation revealed that the only information used by the employees was the information contained on the list, such that the information breach was limited to names and addresses. No other protected health information was taken or used by the employees.

The list has since been recovered, and the employment contracts of the two employees terminated. Valley Family Medicine has stated its satisfaction that there have been no further misuses or disclosures of the information. They are confident that no other copies of the list exist.

In compliance with HIPAA Rules, the breach has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights. All 8,450 patients on the list have been sent a breach notification letter explaining the nature of the incident and informed that there should be no further consequences for patients.