On July 11, 2022, Family Practice Center, P.C. (“FPC”) filed notice of a data security incident with the U.S. Department of Health and Human Services, Office for Civil Rights. Evidently, FPC “suffered an attempt to shut down its computer operations,” which resulted in certain patient data being accessible to an unauthorized party. More specifically, the following data types were compromised as a result of the FPC breach: names, Social Security numbers, addresses, medical insurance information, and health and treatment information. Subsequently, FPC filed an official notice of the breach and sent out data breach letters to all affected parties. An estimated 83,969 patients were impacted by the Family Practice Center, P.C. data breach.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Family Practice Center data breach, please see our recent piece on the topic here.

What We Know About the Family Practice Center Data Breach

According to the notice provided on the FPC website, as well as the information available on the U.S. Department of Health and Human Services, Office for Civil Rights data breach page, on October 11, 2021, FPC was the target of a cyberattack that attempted to shut down its computer systems. FPC reports that the attempt was unsuccessful. However, because the company had reason to believe that the unauthorized party may have gained access to sensitive patient information, it commenced an investigation into the incident.

On May 21, 2022, as a result of its investigation, Family Practice Center confirmed the affected files contained patient data. At this point, FPC reviewed the compromised files to determine what information was compromised and which patients were affected. While the breached information varies depending on the individual, it may include your name, Social Security number, address, medical insurance information, and health and treatment information.

On July 11, 2022, Family Practice Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. It is estimated that 83,969 patients were affected by the Family Practice Center, P.C. data breach.

More Information About Family Practice Center, P.C.

Family Practice Center, P.C. operates several full-service medical centers throughout central Pennsylvania and is based in Middleburg, PA. FPC provides a wide range of services to patients, including primary care, pediatric care, medical imaging, physical therapy, occupational health, sleep medicine and skin care clinics. Family Practice Center operates over 30 locations in and around Harrisburg, PA, York, PA, and Selinsgrove, PA. Family Practice Center employs more than 750 people and generates approximately $150 million in annual revenue.

What Is Protected Health Information?

The Family Practice Center, P.C. data breach affected a wide range of patient data, including Social Security numbers, insurance information, health information and treatment information. While FPC did not refer to this data as “protected health information” in its data breach notification, based on the company’s statements, the breach resulted in affected patients’ protected health information being leaked.

Protected health information is any identifying information that relates to a patient’s health condition or how a patient pays for their healthcare. For example, the results of a blood test and insurance claims information can both be considered protected health information. However, health information is only considered protected if it contains at least one identifier. An identifier is an additional piece of data that can be used to identify a patient. A few common identifiers include:

• Account numbers;

• Any geographical identifier more specific than a state;

• Biometric identifiers, including fingerprints;

• Dates of treatment;

• Email addresses;

• Fax numbers;

• Full name, or a last name with an initial;

• Full-face images or other identifying photographs;

• Medical record numbers;

• Phone numbers; and

• Social Security numbers.

When protected health information is leaked, anyone can use the data to identify the patient. While this is certainly alarming on its own, the real problems with healthcare data breaches are not the most obvious ones.

The consequences of a healthcare data breach not only interrupt your life but can also place your physical health at risk. For example, by stealing a patient’s protected health information, they have enough information to commit identity theft against the patient. While any form of identity theft is serious, healthcare identity theft is typically harder to resolve and comes at a far greater cost to patients than traditional data breaches that impact only financial information.

This is because, aside from the typical risks of fraud and unauthorized transactions, healthcare data breaches put patients’ physical health in jeopardy. For example, a hacker may sell a patient’s data to a third party, who then uses the purchased data to obtain medical care in the victim patient’s name. In doing so, the “fake patient” may provide treating physicians with information about themselves that ends up in the victim’s medical record. For example, a fake patient may give a surgeon a list of previous medical procedures, allergies, or current medications. This can result in a patient’s medical record containing inaccurate information.

Healthcare data breaches pose very real risks, and those who fall victim to such a breach should be sure to take the necessary steps to protect themselves.