HIPAA BREACH NOTIFICATIONS

📆 Last Updated on: March 14, 2025

At Full Potential HRT Clinic, we take patient privacy and data security seriously. In compliance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable regulations, we are notifying affected individuals of certain breaches of protected health information (PHI) that were discovered through internal audits.

What Happened?

Through security audits and investigations, Full Potential HRT Clinic identified multiple instances of unauthorized access to patient records by a former employee. The following breaches were reported to the U.S. Department of Health & Human Services (HHS):

Breach Summaries

1) Unauthorized Access to Patient Records

  • What Happened: A former employee accessed the dashboard view of approximately 266 patient records in our electronic health records (EHR) system without a valid business reason.
  • What Information Was Involved: Demographic details, medical history, allergies, diagnoses, medications, family and social history, and treatment-related data.
  • Report Date: February 28, 2025

2) Snooping on Patient Charts

  • What Happened: A former employee accessed the medical records of approximately 140 patients without authorization, including employees and other providers’ patients.
  • What Information Was Involved: Patient demographics, clinical notes, medical history, treatment plans, and other PHI.
  • Report Date: February 28, 2025

3) Unauthorized Individual Brought into Clinic

  • What Happened: A former employee repeatedly brought an unauthorized non-employee individual into their private office and other restricted clinic areas. This individual was present while patient records and lab results were handled and was left unsupervised in a room where PHI was visible.
  • What Information Was Involved: The extent of unauthorized exposure to PHI is unknown, but it may have included lab results, treatment information, patient notes, and demographic data.
  • Report Date: March 7, 2025

4) Theft of Patient List

  • What Happened: On the day of their termination, a former employee stole a list of approximately 300 patient names and information from the clinic’s database.
  • What Information Was Involved: Patient names, appointment history, and medical details.
  • Report Date: March 1, 2025

What We Are Doing to Prevent Future Incidents

We have taken the following actions to improve security and ensure compliance with HIPAA: 

Disciplinary Action – The employee responsible for this violation was terminated in July 2023 due to a separate HIPAA violation.
Enhanced Monitoring & Audits – Increased security monitoring and routine audits of all system activity.
Access Control & Restrictions – Strengthened access controls to restrict unnecessary chart access.
Staff Training & Policy Updates – Implemented additional HIPAA compliance training for all staff and strengthened our HIPAA Security Policy and HIPAA Privacy Policy.
Technical & Physical Safeguards – Improved encryption, login tracking, and physical security measures.

What You Can Do

If you were affected by any of these breaches, you should have already received an individual notice by mail or email. While there is no evidence of misuse, we encourage you to remain vigilant and monitor your personal information.

If you have any questions or concerns, please contact the clinic and ask to speak with our HIPAA Compliance Officer.