PHI Breaches at Ambry Genetics and Arizona Endocrinology Center

Ambry Genetics, a genetic testing laboratory based in Aliso Viejo, CA, is notifying 232,772 people regarding the exposure of some of their protected health information (PHI) as a result of a recent email security breach. With about 233,000 records, this healthcare data breach is the second largest reported in 2020.

Ambry Genetics identified an unauthorized individual who got access to the email account of an employee between January 22 and January 24, 2020 and most likely viewed and copied the protected health information of its clients. The security staff and third-party computer forensics specialists cannot ascertain the access or theft of any data in the compromised accounts, however, no report was received that suggest the misuse of any personal information.

A review of the email accounts revealed that they contain information such as names, medical data, and other information associated to the services provided by Ambry Genetics. The Social Security numbers of a small number of people were also exposed.

Ambry Genetics took steps to improve security and provided employees further training about email security.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Boss

Arizona Endocrinology Center is notifying 74,122 patients regarding the impermissible disclosure of some of their PHI to another medical group by a physician who left the practice.

Just before Dr. Dwivedi left Arizona Endocrinology Center, he copied patient data and gave away the information to More MD, his new boss. The doctor downloaded from the EHR the following information: patient names, addresses, telephone numbers, medical record numbers, and the primary doctor of patients. Dr. Dwivedi did not obtain any Social Security number, health insurance information, or financial data.

Arizona Endocrinology Center became aware of the incident on February 17, 2020 when patients began reporting that they received text messages from More MD telling them that Dr. Dwivedi had transferred to the medical group. More MD additionally offered its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center informed its patients that it does not have any business partnership with More MD and that Dr. Dwivedi is not working with the practice anymore. Thus, it has been difficult to get assurances that patient information was already removed and won’t be used. The practice mentioned on its website that their patients and their families can contact Dr. Dwivedi and More MD directly to inquire from them regarding their personal information.