Back in May, I noted that University of Rochester Medical Center was notifying 3,000 patients because a departing employee had taken patient information with her for her new employer to use to recruit patients.
Now NYS Attorney General Schneiderman has announced a settlement with URMC over the HIPAA breach. The settlement requires the center to pay a $15,000 penalty and agree to train its workforce on policies and procedures related to protecting patient information.
From the press release:
The settlement is in response to a data breach that occurred in the spring of 2015, when a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients. On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN.
URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients, and the media was alerted. GRN has attested that all health information transmitted by URMC has been returned or deleted.
A copy of the settlement can be read here.