RoxSan Pharmacy based in Beverly Hills, CA mailed breach notification letters last month to 1,049 patients. The patients’ protected health information was disclosed to a business associate through unencrypted email on January 20, 2015. The delay in notifying the patients was because of the “protected nature of the forensic investigation.” The press release did not state when RoxSan Pharmacy actually knew about the data breach.
The patients’ protected health information was contained in a data file that was attached and sent to a business associate of the pharmacy, an individual who’s working in the legal field. There was a business associate agreement governing the relationship of the pharmacy and the business associate. So, the individual knew about the responsibilities required by HIPAA with regards to PHI. The problem was the use of unencrypted email in sending the data file, thus exposing the PHI.
Only a limited amount of PHI was contained in the data file. There was no patient name, Social Security number, financial information or personal identification information in the file. The data file just contained details related to patients who had prescriptions filled from April 2015 to August 2015. These include prescription information, insurance information, drug information, doctors’ names and patient identification numbers.
RoxSan did not receive any report that would suggest the exposed information was intercepted or misused. But as a precaution, the patients were advised to take the necessary steps to protect their identities and check their accounts for any fraudulent activity. RoxSan also did what is needed to improve its operational protection to prevent similar incidents from happening in the future.