Notice of Privacy Incident
Notice to Our Patients of Privacy Incident
At Legacy Health, we are committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving some of that information. This notice explains the incident, outlines the measures we have taken in response, and offers steps patients can take as a precaution. This incident did not affect all of our patients but only only a small percentage of Legacy Health patients who had tests run in our lab.
What Happened? On July 25, 2022, our Privacy Office learned that an employee in our lab had saved Legacy Health files to external devices without authorization. We immediately suspended the employee’s access to Legacy Health’s systems, and began an investigation with the assistance of a third-party forensics firm. Our investigation determined that the employee transferred Legacy Health files to personal storage via external drives and email. We conducted numerous interviews with the employee, who was unable to provide a valid work-related reason for the disclosures.
What Information Was Involved? We conducted a thorough review of the files involved to identify individuals that may be affected. Based on our review, the files contain patients’ names and one or more of the following: date of birth, medical record number, date(s) of service, provider names, health insurance information, diagnosis and/or treatment information. For a limited number of patients, a Social security number was also included.
What We Are Doing & What You Can Do. We have no reason to believe, at this time, that any patient information has been misused as a result of this incident. However, in an abundance of caution, beginning November 23, 2022, we are mailing letters to the patients whose information was contained in the files. We also have established a dedicated call center regarding this specific matter that affected individuals can contact for more information, available at 1-855-681-3527, from 6 a.m. to 6 p.m. Pacific time, Monday through Friday. For the limited number of patients whose Social Security number was included, Legacy Health is offering complimentary credit monitoring and identity protection services. Legacy Health also recommends patients review statements they receive from their healthcare providers and health insurer, and report any inaccuracies to the provider or insurer immediately.
We sincerely regret any concern this incident may cause. We addressed this issue in accordance with our disciplinary policies and the employee no longer works for Legacy Health. We also reported the incident to law enforcement and continue to work it. Additionally, we will continue to take steps to help prevent a similar occurrence, including reinforcing staff training regarding appropriate use and disclosures of patient information, thoroughly investigating privacy complaints, and appropriately disciplining workforce members who violate Legacy Health’s privacy policies.