Notice of Privacy Breach

Notice to Vail Health Hospital patients regarding Privacy Incident

Vail Health Hospital (VHH) formerly known as Vail Valley Medical Center is notifying patients about a breach of some patients’ personal health information. We deeply regret this incident occurred. VHH is committed to providing the highest quality of service and that includes protecting patients’ privacy.

On November 1, 2019 we discovered that a physical therapist, who provided services at VHH’s Howard Head Sports Medicine (HHSM), from 2009 through 2012, improperly acquired electronic protected health information (PHI) in violation of VHH’s policies and the Health Insurance Portability and Accountability Act (HIPAA). VHH learned about this breach after receiving documents through discovery in a lawsuit that the physical therapist filed against VHH. The physical therapist admitted taking copies of electronic documents when she left HHSM in 2012. The court ordered the physical therapist to provide VHH with copies of all the documents taken. The physical therapist produced a first group of documents to VHH between November 1, and November 5, 2019. She produced a second group of documents between April 30 and May 12, 2020. Each time, VHH reviewed the documents and found that a number contained PHI about some HHSM patients who were seen during or prior to 2012.

The types of information contained in the records taken by the physical therapist varied depending upon the type of document but included one or more of the following: name, date of birth, address, phone number, social security number, and certain clinical information such as physical therapy treatment, plan, or evaluation, diagnoses, conditions, surgical procedure, date of service, insurance carrier name, and billing codes. The information taken did NOT include credit card or bank account information, or any insurance ID numbers.

We are committed to safeguarding our patients’ personal information, and, in the last few years, have upgraded our Information Technology systems. VHH has taken steps to enhance the protective measures in place to detect and safeguard against employees taking electronic PHI. VHH has implemented tools to restrict employees’ ability to move or copy files from VHH’s network. VHH has been providing additional mandatory training on HIPAA compliance to all its employees including those at HHSM. In addition, VHH will ask the court to order the physical therapist to delete the copies she took.

Although no credit card or bank account information was involved when the electronic documents were taken over seven years ago, we want to make you aware of steps you may take to guard against any potential harm. We recommend that you regularly review and closely monitor your financial account statements and any explanation of benefits (EOBs) from your health insurers. If you identify services listed on any statements or your explanation of benefits that you did not receive, you should contact your insurance provider immediately. If you identify any charges on your credit or debit cards, or withdrawals from your bank accounts that you did not authorize, contact your bank or credit card company immediately and follow their procedures to freeze transactions or accounts, obtain new cards, and/or to challenge any unauthorized purchases.

You may also obtain information about placing fraud alerts and security freezes from the Federal Trade Commission and the three national credit reporting agencies.

Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580
1-877-382-4357 (toll-free)

1-888-548-7878 (toll-free)
P.O. Box 740241
Atlanta, GA 30374-0241

1-888-397-3742 (toll-free)
P.O. Box 9532
Allen, TX 75013

1-800-916-8800 (toll-free)
P.O. Box 1000
Chester, PA 19022

On December 31, 2019, VHH mailed notice letters to patients who had information in the first group of documents provided by the physical therapist to VHH in November 2019. On June 23, 2020, VHH is mailing notice letters to patients who have information in the second group of documents provided to VHH. Any individuals who believe their information may have been included or for additional information are encouraged to call VHH’s toll-free number 1-855-477-8200 or to write to Privacy Officer, Vail Health Compliance Department, P.O. Box 40,000, Vail, CO 81657. The toll-free line is available Monday through Friday from 8:00 a.m. – 4:30 p.m. Mountain Time (holidays and weekends excluded).