Phoenix, Arizona based Valley Anesthesiology and Pain Consultants (VAPC) has notified 882,590 patients of a potential breach of protected health information (PHI) that occurred on March 30, 2016.

VAPC is an anesthesiology and pain management group of more than 200 physicians. It began notifying patients on August 11, 2016 of the breach involving an unauthorized individual gaining access to VACP’s computer system. The system contained the health records of current and former patients, in addition to employees and providers. Patient names, medical information, dates of birth, insurance ID numbers, bank account information, and social security numbers are all believed to have been accessible at the time of the breach.

Parties potentially involved in the breach have been notified by letter, along with law enforcement officials. A hotline has been set up, and patients involved in the breach have been advised to monitor their insurance statements and notify their insurance company.

Because the breach involved the PHI of more than 500 patients, VAPC is legally bound to report it to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as per the HIPAA Breach Notification Rule.

There’s been no word on the status of the OCR investigation yet. OCR’s fine schedule ranges from $100-$50,000 per incident depending on the severity of the breach and the status of the organization’s HIPAA compliance. If the investigation finds that the breach was the result of negligence on the part of VAPC, the forthcoming settlement and fines can easily reach into the millions of dollars, on par with growing trends in OCR’s enforcement efforts.

Covered Entities of all sizes and disciplines have been under intense scrutiny for privacy and security violations over the past few years. HIPAA enforcement efforts will continue to mount against noncompliant organizations, so the best way to defend against these fines is by implementing a total HIPAA compliance plan.

Need Help with HIPAA?

Let our complete HIPAA solution handle it.