Health records belonging to patients were stolen in a break-in at a suburban medical billing company.
Patients are now being notified about the security breech.
Police tell ABC7 the records were on a portable hard drive and stolen from the Westmont office of Millennium Medical Management Resources.
It happened back in February.
The company handles billing for emergency healthcare physicians. Letters are being sent to EHP patients indicate people who were treated between 2003 and 2006 may be affected by the theft.
Read more on ABC.
Note: This may be the same incident reported to NYS on April 29 and mentioned in this earlier blog entry. It’s hard to be sure with so little detail in the NYS log.
UPDATE 1: The breach has been listed on OCR’s web site. It indicates that 180,111 individuals may be affected.
Now if some kind reader can just tell us what kinds of information were on the stolen drive….
UPDATE 2: Thanks to a reader, we now know what Millenium thinks was on the hard drive. From R’s comment, below:
According to the letter: “Millenium believes the hard drive contained personally identifiable information about EHP patients including name, address, phone, DOB, and SSN, and in some cases other information such as diagnosis, procedure (and/or codes), medical record #, acct #, DL #, and health insurance info.” It was NOT encrypted.
UPDATE 3: A copy of the notification letter from Emergency Health Physicians can be found on OSF.
I just received this notice yesterday. If the breakin occured on February 27th, why the hell does it take OVER 2 months to notify the people that might have their identity stolen. NOT acceptable. There is no offer to have a credit monitoring service either. Again, not acceptable.
Since I haven’t seen the letter (can you scan it in?), can you tell us what kinds of information were on the stolen drive?
Agree with M. Glad we were notified but there is no contact info for EHP except a phone number – it does not even mention the hospital(s) they are associated with or their mailing address. No info for MMMR either. Credit monitoring service for a couple of years would be nice – peace of mind but I did not lose the hard drive so why do I have to make the phone calls!
Please, please, please: will one of you unlucky souls who received the notification please fill us all in on what kinds of information are involved here? Were Social Security numbers, financial info, diagnoses, etc. on unencrypted devices or what?
They don’t seem to know exactly what was on it. According to the letter: “Millenium believes the hard drive contained personally identifiable information about EHP patients including name, address, phone, DOB, and SSN, and in some cases other information such as diagnosis, procedure (and/or codes), medical record #, acct #, DL #, and health insurance info.” It was NOT encrypted. Why are they storing that type of info unencrypted on a PORTABLE drive? Sorry don’t have access to a scanner.
Thank you so much!
If anyone else does have the ability to scan this one in, email it to me at admin[at]phiprivacy.net and I’ll upload it to this site.
If so much information was on the drive, I’m surprised (and yet not surprised) that they didn’t offer free credit monitoring at the very least. Even though it’s a lot of people, they really should do something to help, in my opinion.
I also recieved a letter from Millennium Management Resources Inc. informing me that sensitive financial and medical information of mine had been stollen. I am livid at their flip attitude. They have given suggestions to protect ourselves, but let us know that the charges incurred by their gross negligence will cost us! I did call that number and was informed that I had not called the right number. The woman who answered my call left for a few seconds and I could hear that there were two people on the line. She wouldn”t give me a name and number to call, but said that someone would call me. Guess what? No call! Why were four to seven year old files sitting around in a portable hard drive? Why were these files not encrypted? Why was there not an alarm system in the building? Why did it take over two months to notify the victims? Why did they not offer to pay for the three credit bureaus services, and fraud protection insurance? I tried to get answers, and got the brush off instead. I would suspect that this management company is not in compliance with HIPAA, PHI, and PII regulations. This is pure negligence. We need answers and we need to take action.
I had $500 worth of fraudulent charges on my debit account in March …. well this explains why, and why the detective is working so hard on my case. Truly amazing how long it took for them to notify us.
This doesn’t necessarily explain the fraud on your debit card, as Millenium doesn’t list debit or CC numbers. If you’ve never paid for your medical care via debit card, there’d be no way for them to have the number, either.
There’s been a lot of debit card fraud nationally between hackers, skimmers, etc., and law enforcement has mentioned a national debit card fraud ring but I don’t know much more than that other than Indiana and a lot of other states have reported victims.
So the frustrating thing is that you may never be able to figure out for sure how your debit card number got compromised unless you get a notification from some store, restaurant, bank, gas station, etc., that lets you know that their system was compromised and your debit card was in their system. Also, and equally unfortunately, if you’ve had that card number for a while, it’s possible that your number was acquired over a year ago and was first being used in March. The Heartland breach was like that — some banks didn’t replace all affected debit cards and decided to just “monitor” them. Then this year, there was a rash of new fraud on those cards.
Oh, ok, so even if they have my social security number and other information, there’s no way they could access my account? Thanks for the info.
If Millenium’s letter is accurate about what data were on the drive, the thieves would also have to know what bank you use your PIN or secret question, etc. to get your debit card number (based on this breach), right? Or they’d have to trick you into revealing it, and you sound pretty sharp. So why would they go through any hassle of trying to get your debit card number? If they have your name, address, DOB, and SSN, it would be easier for them to open a new credit card account in your name….
Given the amount and nature of info involved, I’d really encourage everyone who got notified of this breach to check your credit report now and then check it again in a few months. Under federal law, you’re entitled to three free credit reports per year (not your credit score, but your credit report). And if you notify the three major credit reporting agencies that your data was stolen, they’ll give you a free credit report. But do check it again in a few months.
Actually, if it was me, I’d also consider placing a security or credit freeze so that any new attempt to open credit in your name or to obtain your credit report would be blocked. A freeze will slow you down if you want to open a new account somewhere and it won’t stop misuse/abuse of any of your existing accounts, but it will prevent thieves from opening a new account in your name. And it won’t affect your ability to use your existing accounts.
The problem with these damned thefts is that at the outset, we can never tell if the theft had the goal of stealing information or if the goal was simply to steal hardware and the thieves were not looking for data.
Passwords. My recommendation to everyone who is involved, and anyone not involved in any breach, is to add a password to all you credit, bank and utility accounts. It should not be an answer that can be found on your Facebook page such as your pet’s name. In fact, when any entity asks those types of questions, give fake answers that you will remember so that no one can guess answers from any information they can read or find out about you. You may also want to combine two words into one- like banapple. Never give a true/real mother’s maiden name, name of a school or date of birth for a “so we can know it is you” question.
This letter came to me entirely too late…I got this letter last week and the incident happened in February…I also cannot believe that this company didn’t encrypt personal info that they kept on a portable hard drive…this whole thing is a huge inconvenience…this company was hugely irresponsible with personal information and needs to offer some sort of compensation!