Chesapeake Health Care takes the privacy and confidentiality our patient’s information very seriously. On January 15, 2021, Chesapeake Health Care discovered that iPads used by dental patients to complete registration forms were configured such that patients using the iPads were able to view the names and appointment times of other dental patients who had appointments scheduled the same day. On the same day, Chesapeake Health Care took immediate action to remove the iPads from use. Based on its investigation into this incident, Chesapeake Health Care determined that this configuration error started on November 23, 2020 and was resolved on January 15, 2021.
The iPads displayed the names and appointment times of other dental patients who had appointments the same day as the patient who used the iPad to complete his/her own registration forms. While it was technically possible for a patient using an iPad to view additional information about other dental patients, such access would only have occurred if the iPad user maneuvered away from his/her own registration forms to other areas of the electronic record. Chesapeake Health Care has knowledge of this further access having occurred by mistake with respect to only one dental patient. The additional information that would have been viewable in this unlikely circumstance includes patient address, phone number(s), email address, date of birth, dates of service, general descriptors of dental treatment provided to the patient, dental x-rays and tooth charts, and information regarding dental service fees and account balance.
Chesapeake Health Care is committed to safeguarding our patient’s personal information and has taken immediate steps to both stop this incident from continuing and prevent similar incidents from recurring in the future. Chesapeake Health Care’s dental clinics are no longer using iPads in connection with patient registration. If iPads are used by patients in the future, they will be configured so that only the immediate user’s information is accessible. Chesapeake Health Care is also reinforcing and providing ongoing mandatory privacy and security awareness training and reminders.
While we do not know of any misuse of the information, we mailed letters to affected patients on March 31, 2021, and established a dedicated call center to answer any questions patients may have. We also recommend that patients review financial statements, credit reports, and statements they receive from their health insurer. If they see services they did not receive or accounts, charges, or withdrawals that they did not authorize, they should contact their health insurer immediately.
If you believe you may have been affected and do not receive a letter by April 7, 2021, please call (855) 484-1178 Monday through Friday from 9 a.m. to 6:30 p.m. Eastern Time to learn if your information was involved in this incident.