Memorial Hermann patients' personal information may have been compromised in data breach - Med-Data, Incorporated

[swidup]

https://www.khou.com/article/news/health/memorial-hermann-patients-personal-information-data-breach/285-bb968075-2d60-423e-9fcc-deefdfa5e9b4

[swidup]

King's Daughters https://www.kingsdaughtershealth.com/patient-visitors/hipaa-breach-notification-substitute-notice-medd/ HIPAA breach notification substitute notice MedData incident

NOTICE OF DATA PRIVACY INCIDENT

Med-Data, Incorporated (“Med-Data”) recently experienced a privacy incident that may have impacted the protected health information (“PHI”) of individuals whose information was provided to Med-Data to assist with processing. Med-Data provides revenue cycle services to hospitals, healthcare systems and their patients, including solutions for Medicaid eligibility, third-party liability, workers’ compensation, and patient billing. All affected healthcare providers were notified of the incident.

What happened?

On December 10, 2020, an independent journalist informed Med-Data that some data related to its business had been uploaded to a public website (“the Website”). On December 14, 2020, the journalist provided a link to the data, and Med-Data immediately launched an internal investigation to validate the journalist’s claim and discovered that a former employee had saved files to personal folders they created on the Website sometime between December 2018 and September 2019 while employed with Med-Data. The files were promptly removed on December 17, 2020.

Med-Data hired cybersecurity specialists to assist in the review of the files to determine what information may have been included. Further review confirmed that the files may have contained PHI for patients whose information may have processed by Med-Data. The cybersecurity specialists conducted an in-depth review of the files to identify PHI and extract contact information of potentially affected individuals. On February 5, 2021, the cybersecurity specialist provided a list of impacted individuals whose PHI was impacted by the incident. Impacted covered entities whose patient’s data was affected were notified on February 8, 2021. Letters were mailed to impacted individuals and applicable regulatory agencies on March 31, 2021.

What information was involved?

From our investigation, it appears that impacted information may have included individuals’ names, in combination with one or more of the following data elements: physical address, date of birth, Social Security number, diagnosis, condition, claim information, date of service, subscriber ID (subscriber IDs may be Social Security numbers), medical procedure codes, provider name, and health insurance policy number.

What is Med-Data doing?

Med-Data is offering impacted individuals credit monitoring and identity protection services through IDX at no cost. Med-Data has also taken steps to minimize the risk of a similar event from happening in the future. Med-Data implemented additional security controls, blocked all file sharing websites, updated internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution that provides 24x7 monitoring of our network, endpoints, and workstations.

For more information:

To determine whether your information was impacted or for more information about this incident, please call 1-833-903-3647 Monday through Friday from 9 am – 9 pm Eastern Time. Individuals can also contact the Federal Trade Commission at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261 or visit www.ftc.gov/idtheft/ for more information on protecting their identity.

[swidup]

https://www.databreaches.net/good-luck-explaining-to-hhs-why-your-phi-is-in-githubs-vault-for-the-next-1000-years/

"So far, Memorial Hermann, U. of Chicago, Aspirus, and OSF Healthcare have posted notices. Others should be or may be posting soon. Here’s DataBreaches.net’s exclusive report on the incident. "

U. of Chicago: https://www.uchicagomedicine.org/forefront/news/ucmc-notice-of-med-data-incident Aspirus: https://www.aspirus.org/press-room/notice-of-data-privacy-incident-3919 OSF Healthcare: https://www.osfhealthcare.org/media/filer_public/24/3e/243efe2e-4b40-46c2-a394-515cc5ab0e7d/fh_md_holdings_llc_-_substitute_individual_notice_3_24_2021.pdf SCL Health: https://www.sclhealth.org/

Update 8:01 pm: Post-publication, we found that King’s Daughters and SCL Health had also posted notices on the Med-Data breach. We know that there are other entities that should be disclosing, so this will be updated when we find their notices.

Update April 6: University Health in Texas and Paris Regional Medical Center in Texas have posted notices. There are more to come….

Update April 7: PeaceHealth Sacred Heart Medical Center at RiverBend and AdventHealth Shawnee Mission have posted links to Med-Data’s notice on their own sites.

Update April 10: Hospital Sisters Health System impacting:

HSHS St. Joseph’s Hospital, Chippewa Falls,
St. Joseph’s Home Health & Hospice,
HSHS Sacred Heart Hospital, Eau Claire,
HSHS St. Anthony’s Memorial Hospital, Effingham,
HSHS St. Elizabeth’s Hospital, O’Fallon,
HSHS St. John’s Hospital, Springfield,
HSHS St. Mary’s Hospital, Decatur

Update April 10: Watertown Regional Medical Center

Update April 13: Fort Healthcare for Health (Fort Memorial Hospital). [Reminder: these are the dates we find the notification, and not necessarily the date they were first posted.]

[swidup]

https://www.govinfosecurity.com/revenue-cycle-firm-settles-github-phi-breach-lawsuit-for-7m-a-24673 settlement