Main Street Clinical Associates, PA Notifies Patients After Looters Steal PHI
The press release below the separator on this page describes a statistically unusual incident; an explosion at a building adjacent to a covered entity caused an emergency evacuation in which files and file rooms were left open and unsecured. But then the entity and its employees were not allowed to re-enter the building for months. When they did re-enter, they found looters had been in there and stolen computers and devices.
There are so many questions to ask about this one. Certainly, the first response is to feel sorry for Main Street Clinical Associates, as this could happen to any entity. But once they were told they could not re-enter the building, then who was responsible for securing their building and offices from unauthorized access? If the unauthorized access occurred on or after July 15, 2019, after the explosion had occurred on April 10, what was done on April 10 or 11 to start to secure things when they were told they could not re-enter the building? Or what did they do at any time before July 15 to prevent looters? I imagine OCR will have some questions about incident response on this one. And I don’t mean to sound unsympathetic to the covered entity. I would bet most entities are not prepared for an incident like this one.
Hopefully, this incident and coverage will stimulate thought by other entities — does your risk analysis and incident response plan include any scenario like what happened to Main Street Clinical Associates? If not, what will you do now?
DURHAM, N.C., Nov. 8, 2019 /PRNewswire/ — Although it has no confirmation that personal or protected health information was viewed without authorization, Main Street Clinical Associates, PA (“Main Street”) in Durham, North Carolina announced today that it has taken action after becoming aware of potential unauthorized access to patient information. Out of an abundance of caution, Main Street is providing notice of this event to potentially impacted individuals, as well as certain regulators.
What Happened? On April 10, 2019, the building adjacent to Main Street’s office located in Durham, North Carolina suffered a severe gas explosion. The explosion forced Main Street’s employees to immediately evacuate their office without the opportunity to properly store and secure patient information. At the time of the evacuation, certain patient files in use were left open and the file room containing patient records was unlocked. Due to the nature and extent of the damage to the building, Main Street’s employees were prohibited from reentering the building until September 9, 2019.
Upon reentry to their office on September 9, 2019, Main Street discovered that looters had unlawfully entered the office and stolen two laptop computers, a clinician’s cell phone, and a printer that stored patient information. The computers and the cell phone were password-protected, and the client files stored on them were also password-protected. Main Street believes the unauthorized access to the building occurred sometime between July 15, 2019 and September 9, 2019.
What Information Was Involved? Although they cannot confirm whether any protected health information was actually accessed, viewed, or acquired without authorization, Main Street is providing this notification out of an abundance of caution, because such activity cannot be ruled out. The following types of patient information may have been accessed or acquired by an unauthorized individual: patient name, driver’s license number, Social Security number, health insurance information, and diagnosis and treatment information.
What They Are Doing. The privacy and security of patient information are among Main Street’s highest priorities. When Main Street learned of the theft from their office, they quickly notified local police and filed a police report. Main Street took additional steps to investigate the potential scope of the incident and to protect against any potential misuse of the stolen devices, including changing the passwords and remotely monitoring for suspicious activity on the devices. The investigation into whether the devices have been accessed without authorization is ongoing.
Because Main Street has insufficient contact information for some of the potentially impacted individuals, Main Street is providing notice to potentially impacted individuals by way of a notification published to certain state media outlets. Main Street is mailing notice letters to those individuals for whom it has confirmed mailing address information.
For More Information. Main Street has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 866-775-4209 9:00 a.m. to 6:30 p.m. EST, Monday through Friday with questions or if they would like additional information.
What You Can Do. Although they are not aware of any actual or attempted misuse of patient information, Main Street encourages everyone to remain vigilant and take steps to protect against possible identity theft or other financial loss by reviewing their account statements and Explanation of Benefits statements regularly and monitoring their credit reports for suspicious activity. Under U.S. law, individuals over the age of 18 are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.
Main Street encourages individuals who believe they may be affected by this incident to take additional action to further protect against possible identity theft or other financial loss. At no charge, individuals can also have the credit bureaus place a “fraud alert” on their credit file that alerts creditors to take additional steps to verify their identity prior to granting credit in their name. Note, however, that because it tells creditors to follow certain procedures to protect the individual, it may also delay their ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms the individual’s fraud alert, the others are notified to place fraud alerts on the individual’s file. Should the individual wish to place a fraud alert, or should the individual have any questions regarding his or her credit report, the individual can contact any one of the agencies listed below.
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
P.O. Box 105069
Atlanta, GA 30348
An individual may also place a security freeze on their credit reports. A security freeze prohibits a credit reporting agency from releasing any information from an individual’s credit report without the consumer’s written authorization. However, individuals should be aware that placing a security freeze on their credit report may delay, interfere with, or prevent the timely approval of any requests they make for new loans, credit mortgages, employment, housing, or other services. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Individuals will need to place a security freeze separately with each of the three major credit bureaus listed above if the individual wishes to place the freeze on all of their credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.
To find out more on how to place a security freeze, individuals can contact the credit reporting agencies using the information below:
Individuals can further educate themselves regarding identity theft, fraud alerts, and the steps they can take to protect themselves, by contacting the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Individuals can obtain further information on how to file such a complaint by way of the contact information listed above. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement. For Maryland residents, the Attorney General can be contacted by mail at 200 St. Paul Place, Baltimore, MD, 21202; toll-free at 1-888-743-0023; by phone at (410) 576-6300; consumer hotline (410) 528-8662; and online at www.marylandattorneygeneral.gov. For New York Residents: The New York Attorney General provides resources regarding identity theft protection and security breach response at www.ag.ny.gov/internet/privacy-and-identity-theft. The New York Attorney General can be contacted by phone at 1-800-771-7755; toll-free at 1-800-788-9898; and online at www.ag.ny.gov. For North Carolina Residents: The North Carolina Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC 27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716-6400, and online at www.ncdoj.gov.
SOURCE Main Street Clinical Associates, PA