GRAND RAPIDS, Mich. — A now-former employee of a Grand Rapids area medical practice improperly handled protected patient information in a HIPAA breach, the practice said.
East Paris Internal Medicine Associates, PC (EPIM), located on Paris Avenue in Grand Rapids, made the announcement in November.
The medical group said they learned about the breach on Oct. 4 and believes the dates that patient information was improperly handled were May 11, 2023; June 13, 2024; and October 2, 2024.
More than 5,200 patients were impacted, the health group said.
According to the medical group, a now-former employee sent three unencrypted emails that had protected health information in them to unsecured personal email accounts.
The person is also accused of connecting a personal thumb drive to their work computer and downloading a file that may have contained protected health information.
Here is the type of protected health information that may have been breached:
- Name
- Medical record number
- Voicemails
- Phone numbers
- Service dates
- Diagnosis codes with description
- Procedure codes with description
- Billing provider name
- Service provider name
- Primary Care Provider
- Name of Health Plan
- Amount paid for service provided
EPIM said they asked the former employee to give them the thumb drive, but the employee declined.
The medical group said they are reinforcing protected health information policies and procedures with all staff members, as well as reviewing their systems to see if they can enhance security.
EPIM said they will contact the Secretary of the U.S. Department of Health and Human Services about the breach.
"We deeply regret any concern this incident may have caused. We are very committed to our patients' privacy and want to assure them that this is an isolated incident caused by a former employee who is no longer with EPIM. Thank you for your understanding and trust in East Paris Internal Medicine," the group said in a statement.
If you have concerns, you can learn more here.
