Advanced Data Processing (ADPI), handles billing for a number of ambulance services throughout the U.S.
The Florida-headquartered firm notified the California Attorney General’s Office this week that on October 1, they discovered a rogue employee had been accessing and disclosing patient information to others who used the information to file fraudulent tax returns to obtain refunds. According to their notification letter and a statement sent to PHIprivacy.net by spokesperson Lisa MacKenzie, the breach occurred on June 15, when the employee first improperly accessed patient data.
According to their statement to this site, ADPI was alerted to the breach by authorities, who informed them that an employee might be improperly accessing and improperly releasing confidential personal information. MacKenzie tells PHIprivacy.net, “The employee was suspected of being connected to a tax fraud scheme that has far reaching implications beyond the improper access at ADPI.”
While ADPI would not disclose how many patients were affected, how many more might possibly have had their data accessed, nor how many of their clients were affected, MacKenzie informs this blog that 17 states have been notified of this breach including Arizona, California, Florida, Georgia, Kansas,Kentucky, Massachusetts, Maryland, Missouri, North Carolina, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, Tennessee and Texas. HHS was notified of the breach yesterday.
The employee has been apprehended, but has not been publicly named yet, and it’s not known to this blogger whether the employee has been charged criminally at this time.
Although no medical information was accessed, patient information included names, dates of birth, Social Security numbers and record identifiers.
Free credit monitoring services were offered only to those patients whom ADPI could confirm had their details accessed by this employee. Other patients whose data may have been accessed were notified and advised to be vigilant.
The Los Angeles Fire Department was one of the clients affected, as the Los Angeles Times reports.
Update 1: According to a second article in the L.A. Times, the employee has not been charged at this time. I also learned that this incident is part of the vast ID theft/fraud ring investigated for the past two years and referred to as “Operation Rainmaker” by law enforcement officials.
Update 2: A substitute notice has been published, here.
A recent article also named Berkeley, CA ambulance patients as involved in this breach. I’ve linked the three of them together and continue tracking.
http://theleakingvault.com/news/2012/11/30/adp-breach-affects-at-least-two-victim-organizations
Thanks, Suzanne. Yes, Berkeley FD is also affected. I’ll be posting a list of the 20 agencies I already know about and we’ll use that blog entry to keep track.