I was just reading that 900 patients who were treated at Grady Health Systems’ emergency care facilities may have had their data stolen by a former hospital contract worker.
I thought it was yet another breach, but the Associated Press reports that the contractor worked for Advanced Data Processing Inc.
Yes… the same company that I reported on here and it appears to be the same breach. The patients whose data were accessed were those who were transported by ambulance to the hospital’s emergency care facilities; ADPI handled the ambulance billing.
The hospital’s statement differs from ADPI’s statement in one significant way, however. According to a hospital spokesperson, the illegal access/conduct by the employee occurred over a nine-month period – between mid-January to mid-October. The Atlanta Business Chronicle repeats those claims, reporting that the 900 patients (definitely) had their records copied and that the breach took place between January 15 and October 12. According to ADPI’s notification and statements to this blog, however, the breach first occurred on June 15 and ADPI learned of it on October 1 when law enforcement contacted them to alert them that there was a problem. I suspect we’ll be reading a number of contradictory reports for a while.
If 17 states were notified about this breach, this could be really ugly in terms of hospital patients affected. ADPI notified HHS on November 28, as I noted previously. I wonder if we will ever get a full accounting of all of the hospitals affected and the total number of patients (hospital and non-hospital ambulance) affected.
Update 1: I’ve e-mailed both ADPI’s spokesperson and Grady’s spokesperson about their conflicting reports on the time frame of the breach and will update this entry when I get responses.
Update 2: Grady corrected their statement.