In 2013 and early 2014, according to University Urology, an administrative assistant provided patient names and addresses to a competing provider “for the purpose of the competitor soliciting patient business.”
The breach was discovered when patients began contacting University Urology on February 13, 2014 to say they had received solicitation letters from the competing provider.
After an investigation, University Urology fired the administrative assistant in question, changed network passwords, retrained current employees on patient privacy, and secured an agreement with the competing provider to destroy the information that had been provided to them.
While no financial information, clinical information or Social Security numbers were exposed, patient names and addresses are considered protected health information (PHI) under HIPAA.
“While it appears that the information subject to the breach was to be used for patient solicitation and there is absolutely no indication that the information may be used for purposes of identity theft, patients may choose to monitor their credit card, bank, or other financial statements for signs of fraud and identity theft,” University Urology said in a statement [PDF].