There are a number of unanswered questions about an incident disclosed by RoxSan Pharmacy today.
See what you think, starting with their press release of today:
As part of its commitment to patient privacy, RoxSan Pharmacy (“RoxSan”) notified 1,049 patients of a potential breach of unsecured personal patient protected health information. RoxSan is notifying affected individuals in as timely a manner as possible, in its efforts to reduce or eliminate potential harm. It was necessary to delay notification because of the protected nature of the forensic investigation, which is now complete.
The incident involved the transmission of a data file to a business associate on January 20, 2015. The data file containing the unsecured information was transmitted to only one individual, a business associate in the legal field, with which RoxSan maintains a Business Associate Agreement. However, since the data file was transmitted for non-health-related reasons, the transmission is considered a breach. The unsecured information includes records dated between April 2015 and August 2015, and includes prescription information, patient identification numbers, drug information, physician names, and insurance information. The data file did not contain patient names or addresses or other personal identification information, and RoxSan has not received any indication that the information has been accessed or used by any unauthorized individual.
As a measure of security, concerned individuals should take the steps below to protect their personal information:
- Call any of the three major credit bureaus to place a fraud alert on your credit report. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified.
- Order your credit reports. By establishing a fraud alert, you can receive a free copy of your credit report.
- Continue to monitor your credit reports. Continue to monitor your credit reports to ensure an imposter has not opened an account with your personal information.
RoxSan has established a section on its website, www.roxsan.com, with more information about protecting your personal information.
RoxSan sincerely apologizes for the inconvenience and concern this incident may cause you and will continue to do everything it can to correct this situation and fortify its operational protections for you and others.
You may contact RoxSan with questions and concerns by sending a letter to RoxSan Pharmacy, 465 N. Roxbury Drive, Beverly Hills, CA 90210 or an e-mail to [email protected].
SOURCE RoxSan Pharmacy
You may have noticed that the press release says the breach occurred on January 20, 2015, when a file was sent to a business associate. But how did that file contain data from April 2015 – August 2015, then? Something’s wrong with their dates or their explanation.
But I hadn’t even noticed that yet when I sent them an email inquiry asking when RoxSan first discovered that what they had done was actually a breach, how they learned that it was a breach, and what they meant by it was necessary to delay notification because of the “protected nature of the forensic investigation.” I wrote to them, “Neither HIPAA nor HITECH have any exemption called, “protected nature of the forensic investigation.” Did law enforcement request, in writing, delay of notification, or not?
I received an autoresponse to my email inquiry, but it was not what I expected:
Roxsan Pharmacy is temporarily closed. We are working hard at restructuring and plan to open in the very near future. If you need your medication refilled, please contact your physician’s office and have them call your information to another pharmacy. We apologize for the inconvenience and look forward to working with in the future.
Thank you for your patronage.
Did this breach have anything to do with them being closed? Or did they discover the breach while addressing closing/restructuring? RoxSan Pharmacy is a wholly-owned subsidiary of Parallax Health Sciences. There is nothing on RoxSan’s web site that indicated that they have closed or are restructuring.
It would be nice to have some answers.