When departing employees take your PHI with them….
One of the breaches recently added to HHS’s public breach tool involved PRN Medical Services, LLC, d/b/a Symbius Medical, LLC in Arizona. The incident, which reportedly occurred January 18 and affected 2,200 patients was coded as “Theft, Unauthorized Access/Disclosure, Other” with the location of the data being coded as “Network Server, E-mail.”
As has often been the case the coding of the breach type is not particularly helpful, but a notice uploaded to Symbius’s website on July 14 explains that on May 15, Symbius discovered that five former sales representatives who had access to the system had downloaded patient information shortly before they resigned their positions. The information included names, addresses, phone numbers, dates of birth, Social Security numbers, diagnoses, and treatments.
Symbius obtained a court injunction barring their former employees and the competitors to whom they disclosed the PHI from using the stolen information and demanding its return.
Those patients who have been affected were offered a year of protection through LifeLock.