It was later found that the business associate failed to properly dispose of the hard drive containing the medical records of more than 100,000 patients.
Although there is no evidence that any PHI has been misused, information contained on the hard drive included patient names, addresses, birth dates, Social Security numbers, medical insurance information, lab results, medical record numbers, and treatment records.
HealthReach Community Health Centers stated, “We are working with cybersecurity counsel to determine the actions to take in response to the incident. Together, we continue to investigate and closely monitor the situation. Further, we are taking steps to prevent a similar event from occurring again in the future, including ensuring our data storage vendors re-train employees and comply with the required safeguards as to the disposal of sensitive information.”
Patients affected by the incident are eligible for complimentary identity theft protection services including 12 months of credit monitoring, a $1 million insurance reimbursement policy, and identity theft recovery services.