University Urology, P.C. Data Breach (2013)

University Urology, P.C. of Knoxville, Tenn. released a statement on April 11 that detailed how 1,144 patients data had been exposed in 2013 and early 2014. Though the information was limited to patient names and addresses, University Urology said in statement posted on its website that Social Security Numbers, financial account information, clinical information were not exposed. According to the statement, an administrative assistant had gathered the data in efforts to sell it to a competing provider to help gain patient business. Patients began calling University Urology on February 13, 2014 to alert the organization that the competing provider had unexpectedly been soliciting their business. We understand that any breach of protected health information is a concern for our patients. We sincerely regret this situation occurred, said Peggy Kares, HIPAA Security Officer at University Urology, P.C. Following the breach, University Urology spoke with the breaching employee, terminated their employment, revoked their access to protected health information (PHI), changed internal passwords and agreed with the competing organization that received the patient information to destroy it. The organization added that employees would be retrained on patient privacy best practices. University Urology, P.C. is notifying by mail the patients impacted by this breach. While it appears that the information subject to the breach was to be used for patient solicitation and there is absolutely no indication that the information may be used for purposes of identity theft, patients may choose to monitor their credit card, bank, or other financial statements for signs of fraud and identity theft. The level of culpability on the part of the competing provider in this breach is the most interesting part, considering it came to an agreement with University Urology. HealthITSecurity.com will post more details on the breach as they come out.