The Chautauqua Center Identifies Limited Exposure of Patient Information
The Chautauqua Center Identifies Limited Exposure of Patient Information
The Chautauqua Center (TCC) in Jamestown New York has recently announced that the protected health information of 747 individuals has been exposed in a data breach involving its business associate, WebPT, which provides electronic medical record services for Chautauqua Physical and Occupational Therapy.
The incident exposed the information of Chautauqua Physical and Occupational Therapy patients to other healthcare facilities during an upgrade to the EMR system on December 22, 2022. The referral report that was accessible to other healthcare clinics included names, case name/creation date, last seen/referral dates, insurance provider, treatment clinic, referring physician/physician group name, secondary insurance information, and total visit count for each case. WebPT has confirmed that clinical notes from the initial evaluation were not accessible.
Due to the limited nature of the data involved, and the fact that the information was only exposed to HIPAA-covered entities, the risks to patients are believed to be minimal; however, all individuals were notified about the exposure in January. Access to the report was disabled within 19 hours of discovery of the exposure, an analysis was performed to identify the cause of the breach, the staff was retrained, and statements were obtained from all affected clinics confirming that there had been no use or further disclosure of the report.
The Chautauqua Center (TCC) in Jamestown New York has recently announced that the protected health information of 747 individuals has been exposed in a data breach involving its business associate, WebPT, which provides electronic medical record services for Chautauqua Physical and Occupational Therapy.
The incident exposed the information of Chautauqua Physical and Occupational Therapy patients to other healthcare facilities during an upgrade to the EMR system on December 22, 2022. The referral report that was accessible to other healthcare clinics included names, case name/creation date, last seen/referral dates, insurance provider, treatment clinic, referring physician/physician group name, secondary insurance information, and total visit count for each case. WebPT has confirmed that clinical notes from the initial evaluation were not accessible.
Due to the limited nature of the data involved, and the fact that the information was only exposed to HIPAA-covered entities, the risks to patients are believed to be minimal; however, all individuals were notified about the exposure in January. Access to the report was disabled within 19 hours of discovery of the exposure, an analysis was performed to identify the cause of the breach, the staff was retrained, and statements were obtained from all affected clinics confirming that there had been no use or further disclosure of the report.
