NOTICE OF BREACH OF UNSECURED PROTECTED HEALTH INFORMATION
Hawaii Independent Physicians Association (“HIPA”) on behalf of the physicians listed below is providing public notice (this “Notice”) of a potential breach of unsecured protected health information (“PHI”) to satisfy its obligations pursuant to 45 CFR § 164.406.
HIPA Physicians: HIPA provides services to and on behalf of the following physicians, including services that allows HIPA to have access to certain limited patient information. Thus, HIPA is providing this Notice on behalf of the following physicians (the “HIPA Physicians”):
Dr. Frank Baum Dr. Samuel Johnsen Dr. Julie Rizzolo
Dr. Baybayan Dr. Kenneth Kepler Dr. David Saito
Dr. Steven Brauer Dr. Robert Koch Dr. Sarah See
Dr. Baron Ching Dr. Yefim Levy Dr. Curtis Takemoto-Gentile
Dr. Steve Clark Dr. Jeffrey Lin Dr. Krishanna
Dr. Stephen Daly Dr. Traci Masaki-Tesoro Takemoto-Gentile
Dr. Michael Dung Dr. Robert Mastroianni Dr. Nadine Tenn Salle
Dr. David Fitzpatrick Dr. Richard Min Dr. Noel Termulo
Dr. Jennifer Frank Dr. Marc Miyasaki Dr. Linda Tetor
Dr. Benjamin Gamboa Dr. Ashlee Nekoba Dr. Coralie Texeira
Dr. Benjamin Gozun Dr. Howard Neudorf Dr. Russell Tom
Dr. Sharon Hiu Dr. Susan Nishida Dr. Brent Uyeno
Dr. Aaron Hoo Dr. Justin Ody Dr. Wesley Wong
Dr. Maria Ilar-Revilla Dr. James Okamoto Dr. Thelma Yamada
Dr. Gary Inamine Dr. Landon Opunui Dr. Gayland Yee
Dr. Nikki Inamine Dr. Patrick Pan Dr. Ira Zunin
Dr. Tad Iwanuma Dr. Graeme Reed
What Happened: On February 4, 2021, HIPA became aware that the email account of one of its subcontractors was compromised by an unknown third-party attacker. Specifically, the unknown third-party accessed the email account and retrieved personal information of the email account holder. It is unclear, however, whether the attacker accessed other information contained in the email account, including any patient PHI. Immediately upon discovery, HIPA shut down all access to the subject email account, required all HIPA users to change their access credentials (username/passwords) to all email accounts and other system logins and immediately engaged with a cybersecurity firm to investigate the incident. The HIPA Physicians listed were not responsible in any way for the security incident, but HIPA is working closely with them to ensure that all patients are informed about the compromised email account. HIPA takes seriously our responsibility to protect the confidentiality of the personal information of all patients of the above listed physicians.
Who and What Information Was Involved: Data related to past and current patients of the HIPA Physicians listed above was potentially affected. While we have no evidence showing that any patient data was compromised, the cybersecurity firm was not able to definitively conclude whether any data was actually viewed or removed from the subject email account. Accordingly, there is a possibility patients’ full name, date of birth, home address, and general health condition may have been affected. HIPA does not store financial information such as social security numbers or bank account or credit card numbers. Thus, social security numbers and financial information were NOT compromised.
What is Being Done and What You Can Do: Because this potential access to PHI was unauthorized as set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations, it constituted a violation of HIPAA. As required by law, potentially impacted patients have been notified and HIPA will report this incident to the U.S. Department of Health and Human Services on behalf of the above HIPA Physicians. As described in this notice, HIPA took immediate action to address the email compromise. The cybersecurity firm completed its investigation and confirmed there was no further infiltration or unauthorized access to the subject email account, other HIPA email accounts or to HIPA equipment, systems and servers. The cybersecurity firm made certain recommendations to strengthen HIPA’s protections to help avoid any future incidents, which HIPA has already begun to implement. We do not expect that patients of the HIPA Physicians listed above will experience any harm from this incident, and there is no action patients need to take at this time other than remaining vigilant and monitoring your credit reports and financial accounts. Should any patient of the HIPA Physicians listed above receive any suspicious communications or become aware of other activity they believe may be related to this event, please have them inform HIPA immediately.
For more Information: For more information or to make further inquiry, please contact us toll-free at (855) 731-3293. This phone number will remain active for at least 90 days from the posting of this notice. Protecting patient PHI is very important to us. You may be assured of the commitment of HIPA and the HIPA Physicians listed above to your security and satisfaction.