Now that I have additional information on a hacking incident involving the protected health information (PHI) of 156,000 patients of the Ankle + Foot Center of Tampa Bay, it is clear that this breach belongs on this site. I had previously noted it on PHIprivacy.net on January 29 after it appeared on HHS’s breach tool. At the time, however, I found no statement on the center’s web site or additional details.
A copy of the center’s notification letter to patients dated January 7th subsequently became available on their web site. It reads, in part:
On or about November 10, 2010, the Company learned that outside third party attempts had been made against the Practice Management System that stores your personal patient data, including your health information.
The information accessed by this unauthorized third party included information such as patient names, social security numbers, date of birth, home addressees, account numbers, and healthcare services and related diagnostic code(s) (“Personal Information”). The Company is conducting an internal investigation of the circumstances surrounding the unauthorized third party’s actions and appropriate authorities have been notified.
And in a “personal statement” also posted to their site, they write:
I understand your concern, Ankle and Foot center has no evidence that any of their patients lives have been adversely affected, nor do we have any evidence to date that their data has been compromised. This is strictly a preventative measure on the part of Ankle and Foot Centers to notify all of their patients that there may have been a breach and to closely monitor their own personal records for any unauthorized changes. Ankle and Foot Centers has elected to voluntarily notify the proper authorities at the Health and Human Services and is working closely with the FBI to ensure that our patients data still is, and always will remain confidential. If you have any further questions please call our 877 number or visit our website. This is an ongoing investigation and this is what we know
The personal statement seems to be more confusing or self-serving than anything. Having told patients that their information was accessed, they are then also told that “there may have been a breach” and there is no evidence to date that their data “has been compromised.” What will most members of the public do with such information in light of that statement? Is it overly reassuring and would they have been better off being told, “Look, you could be at risk of identity theft or fraudulent use of your data, so we strongly recommend that you….”
I really wish Congress would enact legislation that specifies important required elements of a breach disclosure/notice and that prohibits certain kinds of misleading statements.