Two breaches rock Beverly Hills physician practice
Two breach incidents have compromised records at Advanced ENT Head and Neck Surgery, a Beverly Hills, Calif.-based practice with patients in 16 states and four countries.
The provider estimates that the incidents have potentially exposed the healthcare information of about 15,000 patients.
In one of the breaches reported to federal agencies in late May, a contracted employee is believed to have taken photos of patients before and during surgeries, and copied and stolen patient records, says Zain Kadri, MD, who leads the practice.
Data taken by the contract employee is said to include credit and debit card information, identification documents, copies of checks, user names, passwords and recorded conversations, as well as information on the company.
Earlier in May, the practice was struck by a break-in at its facility in which paper records and data devices were taken. The loss of data and information from that first incident has complicated the practice’s response because it lost contact information for many of its patients, Kadri says.
The practice is working with local pharmacies and other companies in the medical community to locate contact information for its patients.
In the latest breach incident, the contract employee was using a corporate smartphone to acquire data; examination of the phone helped in the discovery of the breach, law enforcement officials said.
The practice issued the following information to patients to head off potential incidents in which callers might identify themselves as working for the Beverly Hills provider. “If anyone contacts you, claiming to be from Advanced ENT Head & Neck Surgery, please get their name and call our main number; then, ask to speak to (that person) directly before continuing the conversation.”
The practice also urged patients to change their credit and debit card numbers, review accounts for unauthorized transactions, notify banks if unauthorized purchases, withdrawals or cash advances are discovered, monitor credit reports and notify local law enforcement if they become a victim of fraud. The announcement of the breaches did not mention the offering of protective services to affected patients, and the organization did not respond to a request for additional information.