We are posting this letter to the community as part of Cornerstone Foot and Ankle’s commitment to patient privacy. We take patient privacy very seriously, and it is important to us that you are made fully aware of a potential privacy issue.
We have learned that some of our patients personal information, including your first and last name, medical record number, procedure code, dates of service, service location, treating physician and insurance carrier information may have been compromised. On February 14, 2018, it was discovered that one of our employees, willfully and against Cornerstone Foot and Ankle’s privacy policies, took a copy of a limited portion of information dating back to January 1, 2017. On January 17, 2018, the employee emailed to her personal email account a spreadsheet that contained some electronic protected health information (ePHI). We are not sure what her intent was, but we can assure you we have taken all necessary steps to make sure the privacy of our patients is secure. We can tell you that your date of birth, address, social security number and credit card numbers were not part of the breached data. We had our attorneys send a demand letter to this employee requiring the return and/or destruction of the data. The employee has contacted our attorneys and advised that all PHI was deleted, destroyed and removed from her computer and email account. We have also reported the incident to the police because the theft of personal data is a violation of state as well as federal law. We have not received any indication that the information has been used for nefarious purposes. The employee is no longer with the company.
We are keenly aware of how important your personal information is to you. It is important to note that Cornerstone Foot and Ankle will NOT call or email anyone for purposes of requesting any personal information as a result of this situation. If you receive an unsolicited call or email that appears to be from Cornerstone Foot and Ankle or a purported representative, please do not provide any personal information in response to these calls or emails.
We understand that this may pose an inconvenience to you. We sincerely apologize and regret that this situation has occurred. Cornerstone Foot and Ankle is committed to providing quality care, including protecting your personal information, and we want to assure you that we have policies and procedures in place to protect your privacy. Every employee goes through both privacy and security training and testing upon being hired, and at least once per year thereafter. We currently employ a third party to analyze our HIPAA compliance on a yearly basis and advise us of ways we can improve, our audit in December 2017 shows top level security and privacy measures were in place across all offices and systems. We also have a number of technology measures in place to prevent any intentional or accidental breach of your information, including multiple secure login steps and restricting access. Every computer is encrypted and protected with no less than 2 passwords. All paperwork containing PHI is disposed of in a locked shredding bin and picked up for secure disposal once per month. In response to the former employees’ actions that resulted in the breach, we have now taken additional steps to encrypt all emails leaving a Cornerstone email address, regardless of content.
If you have any questions regarding our policies or your information please contact our HIPAA Privacy Officer, Nicole Baylinson at Cornerstone Foot and Ankle, 100 Kings Way East – Suite D-6, Sewell, New Jersey 08080 Phone: 856-582-6082 ext 113, or E-mail: [email protected].
Sincerely,
Nicole Baylinson
Practice Administrator
HIPAA Privacy Officer
Cornerstone Foot & Ankle