Web Notice to John Muir Health Patients Regarding Potential Impact to Protected Health Information – December 20, 2019
John Muir Health (JMH) is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving protected health information.
John Muir Health discovered on October 23, 2019 and after further investigation and discovery on November 18, 2019, that the personal email account belonging to a John Muir Cardiovascular Medical Group (JMCVMG) physician who provides services within John Muir Health (JMH) and John Muir Health Physician Network (JMHPN), had been compromised by an unauthorized third party. We have received no information that the unauthorized third party had a specific interest in medical information or any information specific to his practice. The compromise is suspected to have occurred when the physician used a public network that was not secured via his personal cellular phone to access his personal email account.
Action was taken to conduct a thorough review of all email communications in order to assess whether or not any potential patient information was contained in the email box. Based on our review, we discovered that the email box did contain email communications either initiated by a patient or designated individual or between providers. The emails may have consisted of, but would have been limited to the patient name, date of birth/age, demographic information, diagnoses, medications, dates of service, provider names, appointment information, provider notes, lab orders and results, and outside records. The information involved did not include any financial information, such as a Social Security or credit card number. In response to this incident, John Muir Health notified impacted individuals via U.S. certified mail on November 12, 2019 and December 5, 2019.
Upon discovery, the JMCVMG physician took prompt action to report this matter internally and reset his password in order to prevent any further improper access by the unauthorized party. While John Muir Health does not believe that the protected health information involved was, or will be, further disclosed or used in an adverse manner, this substitute notice is being posted for instances where John Muir Health has not been successful in reaching individuals due to insufficient or out-of-date contact information.
Individuals who do not receive a letter from John Muir Health regarding this matter were most likely not impacted by this incident.
At John Muir Health, protecting and securing patient information is a top priority. We deeply regret any inconvenience this incident may have caused patients. We can assure you we are reviewing this matter and have provided re-education on the appropriate procedures for communications with or involving JMH patients. This includes only utilizing the secure MyChart patient portal and encrypted email in order to prevent a similar occurrence in the future. If you have questions on this posting or would like to know more information, please contact the John Muir Health Privacy Office at 1-844-915-1230.