Ambucor Health Solutions (“Ambucor”), a remote monitoring labor service for cardiac devices utilized by Conemaugh Physician Group Cardiology, discovered that thumb drives recovered from a former employee contained some personal information of this customer’s patients. The personal information may have included a patient’s name, date of birth, home address, phone number, medications, race, testing data, Social Security number, patient identification number, medical device information such as the manufacturer, diagnosis, Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s), and the name and address of the practice where the patient was seen. Insurance, Medicaid/Medicare and other financial information were NOT included.
While investigating activities shortly before his employment ended, Ambucor determined that this former employee had downloaded information from a company-issued computer to thumb drives. In a related investigation, federal law enforcement authorities provided Ambucor with two thumb drives turned over by the former employee.
Ambucor discovered in July 2016 that the thumb drives likely contained patient data. In September 2016, after completing a detailed review of forensic and other information, Ambucor was able to determine that personal data on the drives was patient data. Ambucor immediately began notifying affected customers on September 24, 2016, including Conemaugh Physician Group Cardiology.
As of this writing, we have received no indication that any personal data has been misused. However, out of an abundance of caution, Ambucor has offered affected patients one year of identity protection services and, if necessary, related recovery services and $1 million of identity theft insurance at no cost. Patients should consider activating the identity protection services.
Conemaugh Physician Group Cardiology takes seriously its responsibility to protect the privacy and security of personal information and deeply regrets any inconvenience or concern this incident may cause its patients. Ambucor officials have also confirmed they are taking steps to prevent this type of incident from occurring again, including a thorough review of and updates to all HIPAA security processes.
For questions or additional details, contact Conemaugh’s Compliance/Privacy Officer at 814-410-8421.