PHI of 3,775 Patients of a New York Physician Potentially Exposed

Ruben U. Carvajal, MD, a physician in New York began notifying his patients that unauthorized persons potentially accessed their protected health information (PHI). Dr Carvajal knew about the possible privacy breach on January 3, 2018 when he received information that the PHI of some of his patients was viewable online. The matter was investigated and reported to the Federal Bureau of Investigation (FBI) and the New York Police Department.

The FBI sent investigators to Dr. Carvajal’s office and inspected his computer. It was confirmed on February 18, 2018 that an unauthorized person accessed the EMR program on his computer. A forensic investigator came in to thoroughly investigate the nature and extent of the breach. It was determined that the unauthorized person had accessed the physician’s computer from December 16, 2017 to January 3, 2018. Whoever accessed the physician’s computer most likely accessed the EMR system as well but the forensic investigator did not confirm this. But the FBI investigation findings assumed that access likely happened.

The potentially viewed information contained in the physicians computer included patients’ names, birthdates, addresses, diagnoses, medical histories, treatment data, laboratory test results, prescription medications, medical insurance information and claims details. For patients using their Medicare also had their Medicare ID numbers and Social Security numbers potentially exposed.

Patients received notification about the breach on July 17, 2018. Dr. Carvajal also offered patients free credit monitoring and identity theft protection services. The doctor has also taken steps to enhance security so that similar breaches will not happen again in the future. According to the breach report sent in to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 3,775 patients was exposed.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at