Phoenix Cardiac Surgery Group Data Breach (2007)

On February 19, 2009, OCR notified the Covered Entity of its initiation of an investigation of a complaint alleging that the Covered Entity had impermissibly disclosed electronic protected health information (ePHI) by making it publicly available on the Internet. From July 3, 2007 until February 6, 2009, Covered Entity posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar