9,800 Aegis Medical Group Patients Affected by Inappropriate PHI Access by a Former Employee

Aegis Medical Group, a Florida-based physician group, started notifying 9,800 patients that a former employee potentially accessed their protected health information (PHI). Purportedly, that individual offered the patient data for sale to third parties that were supposedly involved in identity theft and fraud.

The law enforcement told about the employee’s action to Aegis Medical Group on September 11, 2019. The investigators confirmed the employee’s attempt to sell off two patients’ data. The physician network together with law enforcement discovered that the employee probably accessed approximately 9,800 patients’ information from July 24, 2019 up to September 9, 2019.

The patient records only contained information such as the first and last names, birth dates, postal addresses, Social Security numbers, account numbers, and diagnosis information. Approximately 75% of the information possibly accessed by the employee were physical records, not electronic files.

Aegis Medical Group terminated the employee after receiving law enforcement notice. However, there’s no certain information if a lawsuit was filed against the former employee.

Due to the nature of the compromised data, the group instructed all patients affected by the breach to keep an eye on their explanation of benefits statements, bank accounts, and credit card statements for evidence of data misuse. They should also take the necessary steps to prevent identity theft and fraud. The affected patients also got credit monitoring and identity theft protection services for free.

Aegis Medical Group claims that it keeps all physical records secure. But in trying to better security, physical records are now being converted to digital formats since it is less difficult to secure digital records and keep tabs on unauthorized access. The physician group also made the employees aware of the breach and reminded them about the consequences of unauthorized PHI access and their accountabilities in keeping patient data confidentiality and integrity.