NWPC notifies certain patients about insider data theft

Dec 13 2015

Northwest Primary Care (NWPC) is notifying certain patients about a security incident involving information that was stolen by a former employee. On October 13, 2015, NWPC was informed by law enforcement that the employee stole patient names, dates of birth, Social Security numbers, and credit card numbers. The theft occurred between April 2013 and December 2013. The employee compromised the information of 5,372 patients. At this time, there is no indication of use or attempted use of the stolen information.

NWPC is an Oregon Family Practice medical clinic that serves the Milwaukie, Clackamas, Sellwood, and Oregon City area. The practice performs reference checks on all employees. Additional background checks are performed for highly sensitive positions, including positions with access to financial data. NWPC has comprehensive policies and procedures, as well as a Code of Conduct, which prohibit employees from accessing patient records when there is not a work-related reason to do so. Following this theft, NWPC is expanding both its technology monitoring capabilities and employee training on safeguarding and accessing patient records to further bolster privacy safeguards. In response to this incident, NWPC is also adding additional technical precautions to protect patient information from theft or similar criminal activity in the future.

To safeguard affected individuals from any potential misuse of their personal information, NWPC is offering all impacted patients identity theft protection services through ID Experts®, a data breach and recovery services expert. Affected patients will receive complete identity recovery services, 12 months of credit monitoring and a $1,000,000 insurance policy. Patients with questions regarding this incident can visit www.myidcare.com/nwpc or call 1-888-275-7520 Monday through Friday, 6:00 a.m. to 6:00 p.m. Pacific Time, excluding major holidays. The deadline to enroll in these services is March 11, 2016. These costs will be fully borne by NWPC.

"Northwest Primary Care will not tolerate any violation of our patients' privacy," said Michael Whitbeck, Administrator. "The former employee in connection to this violation deliberately and criminally chose to violate established clinic policies, the trust of our patients and the law. We deeply regret that this crime has occurred and for any burden that this incident may cause. This breach of patient data is unacceptable, and we are working to support the law enforcement investigation of this matter."