Aegis Medical Group, a physician group in Florida, began informing 9,800 patients regarding the potential access of their protected health information (PHI) by a former employee. Allegedly, that person tried to sell patient data to third parties alleged to be engaged in identity theft and fraud.
The law enforcement informed Aegis Medical Group on September 11, 2019 regarding the employee. The investigation of the matter exposed the attempt of the employee to sell the information of two patients. The physician network worked with law enforcement and learned that the employee possibly accessed the information of around 9,800 patients from July 24, 2019 to September 9, 2019.
The information contained in the patient records only included first and last names, postal addresses, birth dates, account numbers, diagnosis data, and Social Security numbers. Around 75% of the potentially accessed records were physical records and not digital copies.
After the notice by law enforcement, Aegis Medical Group fired the employee. But there is no clear information at this time if the former employee is facing a lawsuit.
Because of the nature of the exposed information, the group advised all affected patients to keep track of their accounts, credit card statements and explanation of benefits statements for indications of data misuse and to take steps to avoid identity theft and fraud. Patients also receive free credit monitoring and identity theft protection services.
Aegis Medical Group claims that all physical documents were kept securely. Though in an effort to enhance security, the physician group is converting physical records now to digital formats because it is easier to protect digital records and monitor unauthorized access. Employees were also made aware of the incident and told about the repercussions of inappropriate PHI access, and their responsibilities in preserving the confidentiality and integrity of patient data.