The radiology center of Mid-Michigan Physicians-managed by McLaren Medical Group-has announced today that they have experienced a breach of protected health information (PHI). They have stated that the PHI of over 100,000 patients has potentially been compromised in the breach.
McLaren Medical Group announced earlier this month that the breach affected a system that stored scanned internal documents. These documents included items such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.
McLaren Medical Group discovered the breach in March this year. Despite this discovery happening months ago, the investigation into the security breach was only stated recently. This process was protracted and notifications were delayed until the investigation was completed.
That investigation confirmed the protected health information of seven individuals was accessed, by an unauthorised individual. While the number of confirmed breaches was small, the organisation stated that the records of 106,000 patients were also vulnerable, and may have been viewed because of the radiology center’s system being compromised.
McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have now been notified of the incident. As compensation for the incident occurring, they have been offered credit monitoring and identity theft security services without charge.
Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although these letters were sent up to five months after the breach was first identified. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach. Therefore, the organisation is in clear violation of HIPAA legislation.
This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. This case was the first incident in which OCR has settled with a covered entity solely for delaying breach notification letters.
Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be noticed by OCR and a financial penalty may be deemed appropriate.