James D. Wolf Jr. of the Post-Tribune reported today that up to 860 patients who used the City of Valparaiso Fire Department ambulance service last year would be receiving breach notification letters from ADPI.
You remember the ADPI breach, of course. I first reported on it November, 2012, when I also started compiling a list of all of ADPI’s clients that had been affected by the breach.
And yet it seems that individuals whose data were compromised for at least one city/client are first finding out now. Why the delay if the employee was arrested last year and pleaded guilty? Why weren’t affected Valparaiso residents notified last year?
After some digging, I finally located the city’s notice concerning the breach, and therein lies the explanation – of sorts:
This notice is provided by the Valparaiso Fire Department (the “Ambulance Agency”) concerning a data breach incident affecting records of a number of Ambulance Agency patients. Advanced Data Processing, Inc. (the “Company”) manages billing for the Ambulance Agency and on July 16, 2013 the Company learned from the Internal Revenue Service that certain patient records connected with the Ambulance Agency may have been improperly accessed. Accessed account information included name, date of birth, Social Security number and record identifier, but no medical information was accessed.
So ADPI never figured out all of the data that was accessed by the former employee, it seems, and only found out last month when the IRS contacted them. The fact that the IRS contacted them suggests to me that the data of at least some residents of Valparaiso was misused as part of the tax refund scheme although ADPI says it does not know whether any data was misused. The fire department’s notice continues:
By way of background, this past Fall the Company was notified by law enforcement in Tampa, Florida (on October 1, 2012) that a now-former employee of the Company illegally accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Based on the information available to the Company after a thorough internal and external forensic review, it appears that only patients who had ambulance transports during the period January 1 through June 21, 2012 would be potentially affected.
I think one can reasonably question any claim that there was a “thorough” forensic review if ADPI’s review did not reveal that up to 860 residents of Valparaiso may have had their data accessed.
When the Company first learned of this incident the Company had no reason to believe that any account information of the Ambulance Agency had been accessed.
Then that strikes me as a failure of their monitoring or auditing protocols.
The employee was apprehended by authorities, immediately terminated by the Company, pleaded guilty to charges brought against her, and is now awaiting sentencing.
Based on the additional information that was recently provided to the Company by the IRS, however, the Company and the Ambulance Agency have learned that account information of some patients of the Ambulance Agency may have been among the information that was accessed by the former employee. Although it is not known whether any of such information was actually misused, because this cannot be ruled out, this notice is being provided out of an abundance of caution.
“Abundance of caution?” An abundance of caution would have been to notify every person who used a service that was a client of ADPI’s during the time period in question. Notifying people after there is already evidence of misuse of at least a portion of the data is not any kind of “abundance of caution.”
Update: ADPI’s press release just showed up in my newsfeed. You can read it here.
Since both law enforcement and the IRS have notified them of potential data breaches and a former employee has pleaded guilty to charges, I am surprised that they did not offer credit monitoring services for at least a year to potentially affected patients. Everything the press release discussed for individuals who believe they may be affected appears to be the patient’s responsibility – monitoring their credit card statements and free credit reports, reporting suspicious activity to authorities, obtaining a police report, etc.
They did offer 1 year of Experian ProtectMyID Alert services to those whose data they were able to confirm had been accessed. You’re not seeing it now because they said they had no knowledge that Valpo’s data had been accessed. Why the IRS would be notifying them if there was no evidence makes no sense to me, but that’s ADPI’s claim.
See this sample notification letter from last year where they offered a subset of patients a free service: https://oag.ca.gov/system/files/ADP%20Sample%20Notice%20Letters2_0.pdf.
I personally don’t think they’ve offered people enough support and am somewhat surprised that I haven’t seen any lawsuits stemming from this breach. But then, I haven’t looked, either.