Med Associates announced a 'privacy incident' after it noticed “unusual activity” on an employee’s workstation ultimately determining PHI may have been accessed without authorization.  Information exposed included patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, and insurance information, including insurance ID numbers.

The website announcement reads:

Med Associates, Inc. is writing to provide notice of a recent data security incident that may affect the security of personal information in our care. On March 22, 2018, Med Associates became aware of unusual activity relating to an employee’s workstation occurring that same day. Med Associates immediately began investigating with our IT vendor and subsequently retained a leading third-party forensic investigation firm to assist with our investigation. It was determined that the unauthorized party accessed the workstation and through that, may have had access to certain personal and protected information. While our investigation is ongoing, we have determined that that information that may have been accessible from the workstation would have included patient names, date of birth, address, dates of service, diagnosis codes, procedure codes and insurance information, including insurance ID Number. There was no banking or credit card information contained on or accessible from the work station. Additionally, we are currently not aware of any misuse of patients’ protected health and/or personal information.

The privacy and security of information in our possession is one of our highest priorities. Upon learning of this incident, we immediately secured the impacted workstation, implemented even more stringent information security standards and have increased staff training on data privacy and security. We have provided information below on the various steps individuals can take to protect their identity.

Once again, we have no indication that information was accessed or misused. Out of an abundance of caution, we are informing individuals whose personal and health information may have been involved by mailing a letter to their last known address. Since it is possible we have outdated contact information for some individuals, we are also providing this notice on our website as required by HIPAA. To learn whether your information was involved, and if so, what types of information, or if you have other questions about the incident, please call 855-206-9883, Monday through Friday, between 8:00 a.m. and 4:00 p.m.