PHI of 1,049 Patients Exposed in RoxSan Pharmacy Data Breach

RoxSan Pharmacy based in Beverly Hills, CA mailed breach notification letters last month to 1,049 patients. The patients’ protected health information was disclosed to a business associate through unencrypted email on January 20, 2015. The delay in notifying the patients was because of the “protected nature of the forensic investigation.” The press release did not state when RoxSan Pharmacy actually knew about the data breach.

The patients’ protected health information was contained in a data file that was attached and sent to a business associate of the pharmacy, an individual who’s working in the legal field. There was a business associate agreement governing the relationship of the pharmacy and the business associate. So, the individual knew about the responsibilities required by HIPAA with regards to PHI. The problem was the use of unencrypted email in sending the data file, thus exposing the PHI.

Only a limited amount of PHI was contained in the data file. There was no patient name, Social Security number, financial information or personal identification information in the file. The data file just contained details related to patients who had prescriptions filled from April 2015 to August 2015. These include prescription information, insurance information, drug information, doctors’ names and patient identification numbers.

RoxSan did not receive any report that would suggest the exposed information was intercepted or misused. But as a precaution, the patients were advised to take the necessary steps to protect their identities and check their accounts for any fraudulent activity. RoxSan also did what is needed to improve its operational protection to prevent similar incidents from happening in the future.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at