Phoenix-based Valley Anesthesiology and Pain Consultants is notifying 882,592 patients and all current and former employees and providers about an information security incident due to a third party possibly gaining unauthorized access to its computer systems.
The pain clinic, which is comprised of 300 anesthesiology and interventional pain management providers, posted a notice on its website regarding an incident involving patient information. According to that notice, on June 13, 2016, Valley Anesthesiology and Pain Consultants (VAPC) learned that a third party may have gained unauthorized access to the VAPC computer systems on March 30, 2016. “Upon learning of the situation, VAPC immediately began an investigation, including hiring a leading forensic firm, and notifying law enforcement,” the notice stated.
“The forensics firm found no evidence that the information on the computer system was accessed, but was unable to definitely rule that out,” the notice stated.
According to a press release that VAPC released August 12 about the same security incident, the computer systems may contain patient information, such as patient names, their providers' names, dates of service, places of treatment, names of health insurers, insurance identification numbers, diagnosis and treatment codes, and in some instances, social security numbers.
For providers, the computer systems included credentialing information, such as names, dates of birth, social security numbers, professional license numbers, Drug Enforcement Agency (DEA) numbers, National Provider Identifiers (NPIs), as well as bank account information and potentially other financial information. For employees, the computer systems included names, dates of birth, addresses, social security numbers, bank account information and financial information, such as tax information.
The pain clinic also said that there is no evidence that any patient information was accessed or used inappropriately.
VAPC also stated in the press release that the organization is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security.
The pain clinic also is offering free credit monitoring and identity protection services to those individuals whose social security numbers or Medicare numbers were included in the incident.
