The Florida physician network, Aegis Medical Group, has begun contacting 9,800 patients to advise them that their protected health information may have been obtained and viewed by a former employee. That individual is thought to have tried to sell patient records to third parties thought to have been participating in identity theft and fraud.
Aegis Medical Group was contacted by law enforcement agencies on September 11, 2019 in relation to the employee. The law enforcement investigation found that the employee attempted to sell the information of just two patients. Working with law enforcement agencies, the physician network found that the records of up to 9,800 patients were potentially accessed by the employee between July 24, 2019 and September 9, 2019.
The data included in the records was limited to first and last names, dates of birth, account numbers, postal addresses, diagnosis information, and Social Security numbers. Approximately 75% of the records that may have been obtained were physical records rather than electronic copies.
After notification by law enforcement agencies, Aegis Medical Group immediately terminated the employee. It is not known at this point in time whether the former employee has been charged.
Due to the nature of data exposed, all impacted patients have been advised to review their accounts, explanation of benefits statements, and credit card statements for signs of improper use of their information and have been told about other steps they can take to stop identity theft and fraud. Complimentary credit monitoring and identity theft protection services are also being supplied.
Aegis Medical Group has confirmed that all physical records were stored in the correct manner although, to enhance security, physical records are now being converted to digital formats as digital records are much more simple to secure and monitor for unauthorized access. Employees have been contacted in relation to the incident, told about the consequences of improper PHI access, and the importance of keeping the confidentiality and security of patient records.