On July 11, 2022, Family Practice Center, PC (“FPC”) filed a data security incident notification with the US Department of Health and Human Services, Office for Civil Rights. Apparently, FPC “suffered an attempt to shut down its computer operations,” which resulted in certain patient data being accessed by an unauthorized party. Specifically, the following types of data were compromised as a result of the FPC breach: names, social security numbers, addresses, medical insurance information, and health and treatment information. The FPC subsequently filed a formal notification of the breach and sent data breach letters to all affected parties. Approximately 83,969 patients were affected by the Family Practice Center computer data breach.
If you’ve been notified of a data breach, it’s important to understand what’s at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are after the Family Practice Center data breach, please see our recent feature on the topic here.
What we know about the Family Practice Center data breach
According to the notice provided on FPC’s website, as well as information available on the data breach page of the US Department of Health and Human Services, Office for Civil Rights, on October 11, 2021, FPC was the target of a cyber attack that has attempted to shut down its computer systems. FPC reports that the attempt was unsuccessful. However, because the company had reason to believe that an unauthorized party may have accessed sensitive patient information, it opened an investigation into the incident.
On May 21, 2022, as a result of its investigation, the Family Practice Center confirmed that the affected files contained patient data. At that point, the FPC reviewed the compromised files to determine what information was compromised and which patients were affected. Although breached information varies by individual, it may include your name, social security number, address, medical insurance information, and health and treatment information.
On July 11, 2022, the Family Practice Center sent data breach letters to all individuals whose information was compromised as a result of the recent data security incident. An estimated 83,969 patients were affected by the Family Practice Center computer data breach.
More information about Family Practice Center, PC
Family Practice Center, PC operates several full-service medical centers in central Pennsylvania and is based in Middleburg, PA. FPC provides a wide range of services to patients, including primary care, pediatric care, medical imaging, physical therapy, occupational health, sleep medicine and skin care clinics. Family Practice Center operates over 30 locations in and around Harrisburg, PA, York, PA, and Selinsgrove, PA. The Family Practice Center has more than 750 employees and generates approximately $150 million in annual revenue.
What is Protected Health Information?
Family Practice Center, the computer data breach affected a wide range of patient data, including Social Security numbers, insurance information, health information and treatment information. Although FPC did not refer to this data as “protected health information” in its data breach notification, based on the company’s statements, the breach resulted in the leakage of protected health information of the affected patients.
Protected health information is any identifying information that relates to a patient’s health status or how the patient pays for their health care. For example, blood test results and insurance claim information may be considered protected health information. However, health information is only considered protected if it contains at least one identifier. An identifier is an additional piece of data that can be used to identify a patient. A few common identifiers include:
Any geographic identifier more specific than a country;
Biometric identifiers, including fingerprints;
Dates of treatment;
Full name or surname with initial;
Full face images or other identifying photos;
Telephone numbers; and
Social security numbers.
When protected health information is leaked, anyone can use the data to identify the patient. While this is certainly alarming in itself, the real problems with healthcare data breaches are not the most obvious.
The consequences of a health data breach not only disrupt your life, but can also put your physical health at risk. For example, by stealing a patient’s protected health information, they have enough information to commit identity theft against the patient. While any form of identity theft is serious, healthcare identity theft is typically more difficult to resolve and costs far more to patients than traditional data breaches that only affect financial information.
That’s because, in addition to the typical risks of fraud and unauthorized transactions, healthcare data breaches put patients’ physical health at risk. For example, a hacker can sell a patient’s data to a third party, which then uses the purchased data to obtain medical care on behalf of the victim patient. In this way, the “fake patient” can provide treating doctors with information about himself that ends up in the victim’s medical record. For example, a fake patient might give the surgeon a list of previous medical procedures, allergies, or current medications. This can result in a patient’s medical record containing inaccurate information.
Healthcare data breaches carry very real risks, and those who fall victim to such a breach should be sure they have taken the necessary steps to protect themselves.