• A Tale of Two Breach Letters

  • Saturday, the 13th of August, I received a call from a neighbor, telling me about a letter she has received in the mail. It was pertaining to a recent breach of a medical organization.

    My first thought it was a letter from Banner Health, who recently announced the breach of 3.7 million individuals. No, it was from another organization who had a breach.

    My neighbor was provided services in November 2015, from Valley Anesthesiology and Pain Consultants (“VAPC”).

    The letter, dated August 12, 2016 stated, “As a provider of anesthesia and pain management services to patients in the Greater Phoenix area, Valley Anesthesiology and Pain Consultants (VAPC)—formerly known as Valley Anesthesiology Consultants Ltd. -  is committed to maintaining the privacy and security of our patients’ information. Regrettably, we are writing to inform you of an incident involving some of that information and to share with you the steps we are taking to address it. On June 13, 2016, we learned that a third party may have gained unauthorized access to the VAPC computer systems on March 30, 2016. Upon learning of the situation, VAPC immediately began an investigation, including hiring a leading forensics firm, and notifying law enforcement. The forensics firm found no evidence that the information on the computer systems was accessed, but was unable to definitively rule that out. The computer systems may contain some of your information, such as your name, providers’ names, date of service, name of health insurer, insurance number, place of treatment, and diagnosis and treatment codes. Your social security number and financial information were not included in these computer systems.”

    “Currently, we have no evidence that any of your information has been accessed or used inappropriately. However, because we value our relationship with you, we want to inform you of this incident and provide you with guidance on what you can do to protect yourself. We recommend that you review the explanation of benefits that you receive from your health insurer. If you see services that you did not receive, please contact your insurer immediately.”

    “We deeply regret any inconvenience or concern this may cause our patients. To help prevent something like this from happening in the future, we are taking steps to enhance the security of our computer systems, including reviewing our security processes, strengthening our network firewalls, and continuing to incorporate best practices in IT security. Should you have any questions, please call 1-888-839-9460. From 6 am to 9 pm. Pacific Time, Monday through Friday.”

    The letter is pretty straight forward. VAPC believes that there was not any personal or financial information breached, so I can only surmise the decision not to offer one year of free financial credit reporting was determined not necessary. What about the breach of a person’s name, health insurance company, including the health insurance number? We all know identify thieves piece together information from multiple sources to create an identity.

    As the title insinuates, A Tale of Two Breach Letters. Let’s review the notice posted on VAPC’s website as required by the Health Insurance and Portability Accountability Act (HIPAA).

    Are you able to find the marked differences of information provided between the two letters? Below is the current letter on VAPC’s website:

    “Valley Anesthesiology and Pain Consultants (“VAPC”) is committed to maintaining the privacy and security of personal information provided to VAPC. This notice is to inform our patients of an incident involving patient information.

    On June 13, 2016, VAPC learned that a third party may have gained unauthorized access to the VAPC computer systems on March 30, 2016. Upon learning of the situation, VAPC immediately began an investigation, including hiring a leading forensics firm, and notifying law enforcement. The forensics firm found no evidence that the information on the computer systems was accessed, but was unable to definitively rule that out. The computer systems identified may contain patients’ names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers. Patient financial information was not included in the computer systems.

    We have no evidence that any patient information has been accessed or used inappropriately. However, because we value our relationship with our patients, we began mailing letters to affected patients on August 11, 2016, and established a dedicated call center to answer patients’ questions. If you believe that you are affected, but do not receive a letter by September 9, 2016, please call 1-888-839-9460, from 6:00 AM to 6:00 PM Pacific Time, Monday through Friday. We recommend that affected patients review the statements that they receive from their health insurer. If they see services that they did not receive, please contact the health insurer immediately.

    We regret any inconvenience or concern this may cause our patients. In addition to security safeguards already in place, we are taking steps to enhance the security of our computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing our security processes, strengthening our network firewalls, and continuing to incorporate best practices in IT security.”

    The letter mailed to the patient, my neighbor stated, “Your social security number and financial information were not included in these computer systems.” However, embedded in the website notice it states, “and in some instances, social security numbers.”

    What is a patient to believe? Isn’t trust the foundation of a medical provider?

    As far as my neighbor is concerned, I recommended that she call the 1-888 to ask about why is there a different message on the website notifications pertaining to Social Security numbers, which she did. The customer service person stated that she should have gotten information on how to sign up for a one year of Identify Theft and Credit Monitoring through Experian, then promptly gave that information to her. Additionally, she was told that they notified approximately 882,590 former patients, employees and providers have been affected. Yet, at this writing, one cannot find their Breach Notification on the HHS Breach Portal. Another oversight I would imagine. A possible costly one.

    As a HIPAA Consultant, I would grade this Breach Response and Notification with a “D.” VAPC did the right thing by notifying their patients, however they failed in setting a clear and transparent message to those affected. No doubt that they could experience an erosion of goodwill, not to mention some amount of financial loss.

    **Footnote- After writing this article, my family received a Breach Notification Letter from Banner Health, one of 3.7 Million. This is not your winning lottery notice- having been a victim of identity theft previously, we will be taking advantage of the id monitoring services offered.

    Watch for the release date of JAL’s 2016 Edition of “Practical Guide to Understanding and Implementing HIPAA”

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @judithconsult

    “Copyright” © JAL Consulting 2016