HIPAA WEBSITE SUBSTITUTE NOTICE

Release November 22, 2024

Grand Rapids, MI — East Paris Internal Medicine Associates, PC (EPIM) is committed to protecting the privacy and security of our patients’ health information. We are notifying the public of an incident involving protected health information (PHI). This notice explains what happened, what information was involved, and the steps we are taking in response.

Incident overview and response

On October 4, 2024, East Paris Internal Medicine Associates, PC became aware of a breach of our patients’ personal health information. We have identified the dates of the breach to be May 11, 2023; June 13, 2024; and October 2, 2024.

After the departure of a former EPIM employee, we discovered incidents in which they improperly handled PHI. The former employee sent three unencrypted emails containing protected health information to unsecure personal email accounts. Additionally, they connected a personal thumb drive to their work computer and downloaded a file that we have reason to believe may have contained protected health information. There are a total number of 5,240 patients impacted.

The protected health information that was disclosed may or may not include:

  • Name

  • Medical record number

  • Voicemails

  • Phone numbers

  • Service dates

  • Diagnosis codes with description

  • Procedure codes with description

  • Billing provider name

  • Service provider name

  • Primary Care Provider

  • Name of Health Plan

  • Amount paid for service provided

The protected health information did not include any sensitive financial information such as credit card numbers or social security numbers.

What are we doing?

EPIM has conducted, and continues to conduct, a thorough investigation to determine the scope and nature of any improper PHI disclosure. EPIM is also taking vigorous action to mitigate the improper disclosure of the PHI. EPIM has requested the thumb drive from the former employee, however, our request was denied. The former employee has not yet confirmed to EPIM’s satisfaction that all PHI has been destroyed. The only two known recipients of the emails containing PHI have told EPIM in writing that neither party viewed the PHI. EPIM does not have reason to believe that the PHI has been misused.

We have also taken these additional steps to protect our patients from further harm or similar circumstances:

  • We are reinforcing our policies and procedures regarding the handling of PHI with all staff members.

  • We are reviewing our systems and processes to further enhance the security of your information.

  • Notification will be given to Secretary of the U.S Department of Health and Human Service (HHS).

What our patients can do:

At this time, there is no evidence to suggest that our patients’ information has been misused. We recommend that those impacted remain vigilant for signs of unusual activity. If our patients have concerns or questions about this incident, they can call our toll-free number 1-844-750-0588.

We deeply regret any concern this incident may cause. We are very committed to our patients’ privacy and want to assure them that this is an isolated incident caused by a former employee who is no longer with EPIM. Thank you for your understanding and trust in East Paris Internal Medicine.

Sincerely,

East Paris Internal Medicine Associates