Sequin Dermatology, a solo practice in Sequin, Texas, fell victim to a ransomware attack in mid-September after its server was encrypted.
A contractor was able to remove the ransomware but a forensic examination found a high likelihood that protected health information was accessed, Robert Magnon, MD, told patients in a notice sent earlier this month. “Also, it could not be ruled out that confidential information may have been removed from the server,” he added.
The server did not contain medical records and financial information, but compromised data that included patient name, address, telephone number, date of birth, as well as insurance billing information and CPT codes.
An undisclosed number of patients also had their Social Security numbers compromised and as a result the practice is offering these patients identity and credit monitoring services from Equifax.
“To prevent this from happening again, we are conducting a review of our physical and computer security, reassessing our office’s policies and procedures, and performing staff training,” Magnon told patients. “We continue to monitor the situation and will notify you as necessary.”
Magnon included a comprehensive seven-page notice of privacy practices in patient letters explaining their rights to access their electronic health records, the ability of patients to share the information as they wish, the ability to ask Magnon to limit the information he uses or shares, and to know with whom information is being shared. This type of information generally is not included in notices to patients following a breach.
The practice did not respond to a request for additional information.
(This article appears courtesy of our sister publication, Health Data Management)