Posting this here temporarily as phiprivacy.net is experiencing some problems.
Usually when I see an envelope from NRAD Medical Associates, P.C. in my mail, it concerns a radiology bill or insurance matter following services there. But today, I opened the envelope to find a breach notification.
Their notification, signed by their president, vice-president, and secretary-treasuresr, begins with the now somewhat pro forma statement about how they are seriously committed to the privacy and security of their patients’ information, which is why they want us to know of a security concern. Of course, at least part of the reason they are letting us know is because under HITECH, they have to. In any event, let’s get to the guts of their notification:
On or about April 24, 2014, it was discovered that an employee radiologist accessed and acquired protected health information from NRAD’s billing systems without authorization. This included some personal information, including patient names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes.
They do not indicate when the breach occurred or how it was discovered.
NRAD states that they have
no evidence that the information has been disclosed to or used by any third parties and have no evidence that your credit card, banking or other financial information was accessed. We believe there to be low risk to this incident, but any risk is unacceptable.
In response to the discovery, NRAD “immediately implemented enhanced security measures,” and recommended that patients contact one of the three major credit bureaus to place a fraud alert on credit reports.
They also established a toll-free number, and posted a copy of the notification and an FAQ on their web site.
In the FAQ, they state that the radiologist is “no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation.” The breach was also reported to HHS.
A call to their hotline requesting a police report number and asking how the breach was discovered required the hotline representative to forward my inquiry to others, who have yet to return my call after a few hours, so it is not clear whether they even reported this matter to the police [SEE UPDATE AT BOTTOM OF POST]. If they do return the call, I’ll also inquire as to when the breach occurred, and will update this post.
In terms of the scope of the breach, NRAD reports that it affects approximately 97,000 current and former patients, which they state is approximately 12% of the more than 800,000 patients they have treated over the past 20 years. It was not clear from their letter whether all 800,000 current and former patients’ information was still in their billing system (and if so, why). I asked the hotline representative whether there were 800,000 patients’ information in their billing system and she said there was. I hope the hotline representative was wrong about that.
NRAD did not offer affected patients any free credit monitoring services [SEE UPDATE AT BOTTOM OF POST}. Given the types of personal information acquired, their failure to offer some free services is somewhat surprising and may come back to bite them in the way of lawsuits from unhappy patients who may now be worried about identity theft. Credit monitoring wouldn’t prevent medical identity theft, of course, and the notification letter does not suggest patients check their explanation of benefits statements from their insurers, so I’ll suggest it.
As a patient of NRAD, I have always been very happy with their medical services, and after a decade or more of reporting on breaches, I realize that pretty much any covered entity can experience a breach. But I also have enough experience to recognize when an apology, however sincere, and “we’ve implemented enhanced security measures” are not enough in the way of mitigation. NRAD can and should do better.
Update of June 24: According to other media sources, the Nassau County District Attorney’s Office is investigating in cooperation with the Nassau County Police Department. So the incident was reported to law enforcement. I still have not received a call back from my June 21st call to their hotline.
Update 2 of June 24: ABC News informs me that NRAD now says they are offering credit monitoring. I’ll update again when I get more details on that. Here was ABC’s coverage tonight, with a soundbite and some quotes from yours truly:
Update 4: They are offering one year of credit-monitoring via an Equifax service – but only if you know to call them and request it. They will mail you the enrollment information and code you’ll need to sign up.
I completely agree.
The hotline number was not at all helpful and had little information.
They gave me the admin number which turned out to be the general office number.
I spoke to someone in admin and was told that she was instructed to take my phone number and that someone would contact me.
Good faith, considering NRAD’s claim to being committed to patient privacy, would have been to offer monitoring by the three credit bureaus.
Still waiting for a return call.
Days later, I still have not received a return call, either. Did you happen to ask *when* the breach occurred? I forgot but intended to ask when they returned my call. Which they haven’t….
Hi Ken,
Don’t know if you saw my earlier message but I’m a reporter with Channel 4, looking to talk to someone who was affected by this breach. Can you please give me a call at 916-822-1090.
Thanks,
Checkey Beckford
Hi,
I’m a reporter with NBC New York/Channel 4, trying to find people affected by the security breach. Can you give me a call at 916-822-1090. We’re doing the story for tonight’s newscast.
Thanks and Good Luck. I had my identity stolen and it is not fun trying to rectify it all.
Checkey Beckford
NBC New York
Reporter
916-822-1090
I called the hotline # twice; spoke w/2 different people and neither one could answer my questions. I asked if NRAD would pay for credit monitoring and they didn’t know. I asked if the radiologist who was involved worked in this country or abroad (many of these places employ radiologists in other countries to read test results), the hotline folks didn’t know. Don’t know why they set up a hotline # if folks’ questions can not be answered or if they don’t return calls. I tried the phone # for the administrative office for NRAD and that number was busy for the 2 hours I tried to call. I’m not too pleased with their handling of this situation, nor am I happy thinking about the fact they had a doctor in their employ who was tampering with patients’ information (financial, medical & personal). Who’s in charge here?
I want to know the name of this radiologist so I can sue him. Anyone up for a class action suit? I don’t think under the HIPPA laws you can sue NRAD. It was suggested to me that I file a complaint with the OCR (Office of Civil Rights) which I believe has already been contacted by NRAD. I am so upset due to the nature of my diagnosis and proceedure codes. I didn’t use NRAD services because I had a splinter in my finger. The truth of the matter is that we are suffering from life threatening diseases or debilitating conditions. I am beyond furious.
HIPAA does not provide a private cause of action (i.e., lawsuit).
I wonder if NRAD went to court to get an injunction to prohibit the radiologist from using any of the data he accessed and acquired. Or whether they’re sure they recovered all of our information.
Elaine I’m in, I also had a life threatening case. It is very personal I don’t want people knowing my very personal issues
Grace
Elaine, I’m in too! Not only am I long time patient of NRAD, I am also an RN. This is upsetting-I do not want people knowing my health issues. Carol
I WILL JOIN A CLASS ACTION IN A HEARTBEAT. PLEASE LET ME KNOW IF THIS OPTION DEVELOPS. TX.
HAH ! I Think I may smell a gold digger in the audience……
It is futile to stand in front of the court system and prove that your time and effort amounts to anything. Then try to prove, without a shadow of a doubt that your information – was actually used by this person and was they were directly responsible for it. Hire a lawyer, Hire a forensics team and go six figures in debt. You’ll be lucky to get 1/10th of that back. The crook will claim bankruptcy. So instead of knee-jerking, face palm yourself a few times every time you want to do the insta-greed option.
Worked for NRAD. You will just get a run around folks. No one will answer your questions or tell you the truth. That’s how this company flies.