Theft of Physical PHI at Associated Dermatology Impacts 1,254 Patients

A breach involving physical protected health information (PHI) was reported by the Associated Dermatology & Skin Cancer Clinic of Helena, MT. The PHI of 1,254 patients was potentially compromised. The breach was due to the theft of a journal left in the vehicle of an employee of Associated Dermatology on May 26, 2018. The vehicle was forced open and the journal with PHI was taken by the thief.

The journal held the PHI of patients including names, ages, referring doctors, medical histories, reasons for the visit, and consultation notes. The patients affected by the breach  visited Associated Dermatology from September 1, 2017 to May 24, 2018. Though the journal contained no highly sensitive data that the thief could use for identity theft, there is still the possibility of information misuse.

Currently, no information on patient information misuse has been received. The risk that is likely to occur is the use of the patients’ PHI for phishing scams or social engineering, resulting in the probable disclosure of more information (birth dates, Social Security numbers, health insurance information) by the patients. Patients had been alerted to the possibility of such deceitful acts.

The incident prompted Associated Dermatology to implement additional security measures to protect all PHI from breaches of similar nature. Associated Dermatology informed law enforcement about the theft and the Department of Health and Human Services’ Office for Civil Rights about the PHI breach.