Owensboro Medical Practice Data Breach (2014)

Owensboro Medical Practice is currently conducting an internal investigation into a data breach that exposed 3,000 patients data. There are conflicting reports on the scope, in terms of the involvement of a business associate (BA), and time line of the data breach. According to 14news.com, the medical practice, located in Owensboro, KY, the breach occurred three years ago and Director of Research for Owensboro Medical Practice, Timothy Hillard said he was aware of the incident.Even if it was one patient, that one patients information is highly important to us and not the entire medical records were taken but demographics such as name, date of birth, age, social security number, which is, you know, very concerning to us. The report also states that Owensboro thinks employees used the data to contact patients in efforts to start their own businesses. Compromised information includes patient names, addresses, telephone numbers, dates of birth, Social Security numbers, and health conditions. However, there are some inconsistencies between the 14 News report and the Owensboro Medical Practice and its BA, Research Integrity, breach notification, which was also posted by PHIPrivacy.net. First, the notice says Owensboro Medical Practice learned of the breach on July 24, 2014 and not three years ago. And, as stated by PHIPrivacy.net, its still unclear from the notice how the organization or the BA discovered the breach in July. On or about July 24, 2014, Owensboro Medical Practice, PLLC, and its business associate, Research Integrity, LLC, learned that a spreadsheet containing protected health information was wrongfully copied and removed from the offices of Research Integrity by a former employee. This occurred despite the fact that only properly authorized persons at Research Integrity had access to the spreadsheet. Owensboro Medical Practice believes the data was only used for research purposes by one of Research Integritys competitors and not for malicious activity. Owensboro Medical Practice and Research Integrity are both investigating the incident and taking steps to ensure that patient information is secure. The companies are also pursuing the return of all hard copies of all information from the spreadsheet, the deletion of all computerized versions of such information on a permanent basis, and permanent injunctions against the persons or entities who had possession of the data from utilizing such data in the future. Because this was a HIPAA violation, Owensboro has alerted the Department of Health and Human Services (HHS) about the breach, but any details of talks with HHS were not disclosed.