The press release below the separator on this page describes a statistically unusual incident; an explosion at a building adjacent to a covered entity caused an emergency evacuation in which files and file rooms were left open and unsecured. But then the entity and its employees were not allowed to re-enter the building for months. When they did re-enter, they found looters had been in there and stolen computers and devices. There are so many questions to ask about this one. Certainly, the first response is to feel sorry for Main Street Clinical Associates, as this could happen to any entity. But once they were told they could not re-enter the building, then who was responsible for securing their building and offices from unauthorized access? If the unauthorized access occurred on or after July 15, 2019, after the explosion had occurred on April 10, what was done on April 10 or 11 to start to secure things when they were told they could not re-enter the building? Or what did they do at any time before July 15 to prevent looters? I imagine OCR will have some questions about incident response on this one. And I don’t mean to sound unsympathetic to the covered entity. I would bet most entities are not prepared for an incident like this one.  Hopefully, this incident and coverage will stimulate thought by other entities — does your risk analysis and incident response plan include any scenario like what happened to Main Street Clinical Associates? If not, what will you do now? DURHAM, N.C., Nov. 8, 2019 /PRNewswire/ — Although it has no confirmation that personal or protected health information was viewed without authorization, Main Street Clinical Associates, PA (“Main Street”) in Durham, North Carolina announced today that it has taken action after becoming aware of potential unauthorized access to patient information.  Out of an abundance of caution, Main Street is providing notice of this event to potentially impacted individuals, as well as certain regulators. What Happened? On April 10, 2019, the building adjacent to Main Street’s office located in Durham, North Carolina suffered a severe gas explosion. The explosion forced Main Street’s employees to immediately evacuate their office without the opportunity to properly store and secure patient information. At the time of the evacuation, certain patient files in use were left open and the file room containing patient records was unlocked. Due to the nature and extent of the damage to the building, Main Street’s employees were prohibited from reentering the building until September 9, 2019. Upon reentry to their office on September 9, 2019, Main Street discovered that looters had unlawfully entered the office and stolen two laptop computers, a clinician’s cell phone, and a printer that stored patient information. The computers and the cell phone were password-protected, and the client files stored on them were also password-protected. Main Street believes the unauthorized access to the building occurred sometime between July 15, 2019 and September 9, 2019. What Information Was Involved? Although they cannot confirm whether any protected health information was actually accessed, viewed, or acquired without authorization, Main Street is providing this notification out of an abundance of caution, because such activity cannot be ruled out. The following types of patient information may have been accessed or acquired by an unauthorized individual: patient name, driver’s license number, Social Security number, health insurance information, and diagnosis and treatment information. What They Are Doing. The privacy and security of patient information are among Main Street’s highest priorities. When Main Street learned of the theft from their office, they quickly notified local police and filed a police report.  Main Street took additional steps to investigate the potential scope of the incident and to protect against any potential misuse of the stolen devices, including changing the passwords and remotely monitoring for suspicious activity on the devices. The investigation into whether the devices have been accessed without authorization is ongoing. Because Main Street has insufficient contact information for some of the potentially impacted individuals, Main Street is providing notice to potentially impacted individuals by way of a notification published to certain state media outlets. Main Street is mailing notice letters to those individuals for whom it has confirmed mailing address information. For More Information. Main Street has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 866-775-4209  9:00 a.m. to 6:30 p.m. EST, Monday through Friday with questions or if they would like additional information. What You Can Do. Although they are not aware of any actual or attempted misuse of patient information, Main Street encourages everyone to remain vigilant and take steps to protect against possible identity theft or other financial loss by reviewing their account statements and Explanation of Benefits statements regularly and monitoring their credit reports for suspicious activity. Under U.S. law, individuals over the age of 18 are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report. Main Street encourages individuals who believe they may be affected by this incident to take additional action to further protect against possible identity theft or other financial loss. At no charge, individuals can also have the credit bureaus place a “fraud alert” on their credit file that alerts creditors to take additional steps to verify their identity prior to granting credit in their name. Note, however, that because it tells creditors to follow certain procedures to protect the individual, it may also delay their ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms the individual’s fraud alert, the others are notified to place fraud alerts on the individual’s file. Should the individual wish to place a fraud alert, or should the individual have any questions regarding his or her credit report, the individual can contact any one of the agencies listed below. Experian P.O. Box 2002 Allen, TX 75013 1-888-397-3742 TransUnion P.O. Box 2000 Chester, PA 19016 1-800-680-7289 Equifax P.O. […]

Categories: security