An anesthesiology and pain clinic in Arizona is notifying patients and all current and former employees and providers that a third party may have gained unauthorized access to its computer systems.
Phoenix-based Valley Anesthesiology and Pain Consultants sent notices to approximately 882,590 individuals who may be affected by the security incident.
VAPC learned June 13 that a third party may have accessed its computer systems on March 30. The clinic hired a forensics firm to investigate the incident and notified law enforcement.
While the investigation suggests no information was accessed, the forensics firm "was unable to definitively rule that out," according to a statement from VAPC.
Potentially compromised information for patients includes names, their providers' names, service dates, places of treatment, names of health insurers, insurance ID numbers, diagnosis and treatment codes and some Social Security numbers.
Provider information that may have been compromised includes names, birth dates, Social Security numbers, professional license numbers, DEA numbers, National Provider Identifiers and bank account information.
Employee information that may have been compromised includes names, birth dates, addresses, Social Security numbers, bank account information and financial information, including tax information.
"APC is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security," according to VAPC's notice to patients.
More articles on data breaches:
Bon Secours vendor breach affects 655k patients
Company issuing health plan ID cards hit with data breach affecting 3.3M
Oregon State Hospital reports breach after clinician texts patient medical data