Eye Institute of Corpus Christi notifies patients of breach
Here’s yet another case where patients’ personal information and protected health information was stolen and used to solicit patients to another practice.
The Eye Institute of Corpus Christi, through its external counsel, disclosed that on January 6, they learned that individuals associated with doctors formerly employed by the Eye Institute copied the patient database and provided it to the doctors, who then allegedly used it to solicit patients for their practice.
The patient information included patient name, address, date of birth, Social Security number, health insurance and payment information, and diagnoses and records of patient treatment.
Oddly, although the Eye Institute has reported the matter to law enforcement and the state medical board and credit reporting agencies, they make no mention of reporting this incident to HHS. I wonder if that was just an omission in their notification or if they really aren’t reporting this to HHS.
Parenthetically, although the Eye Institute asked the doctors to return the patient information, it’s not clear why they haven’t gone to court to seek an injunction ordering the return of the information and barring the doctors from using the information. Nor is it clear what they have done with regard to the two individuals who copied the information to provide to the doctors. Were they employees who were subsequently fired? Is Eye Institute seeking criminal charges against them? Their response to this whole incident seems somewhat low-key, but they’ve got a highly experienced law firm handling this for them, so I guess they must have their reasons.
You can read the full notification letter signed by Ravi Krishnan, M.D. of the Eye Institute of Corpus Christi on the New Hampshire Attorney General’s Office. The total number of patients affected was not disclosed.