It seems that Baltimore-based Mercy Health Systems (Mercy Medical Center) forgot to notify Maryland about a breach involving Maryland residents earlier this year.
According to an August 13 letter signed by Chante Tindal, Compliance Generalist: on January 14, MHS’s transcription contractor, Allscripts, reported a missing unencrypted hard drive containing patient information. MHS says this was reported to them on February 14, and it is not clear to whom Allscripts reported the situation on January 14 nor why it took a month to alert MHS that the drive was missing.
The missing backup drive contained 25 patients’ information such as name, health plan beneficiary number, diagnoses, medical record numbers, and account numbers. An email file on the drive reportedly required a password.
MHS notified those affected on April 1. Their letter incorporated Allscript’s belief that the drive was not taken for malicious purposes and that no data had been accessed.
Allscripts’ response to the breach was to provide “corrective discipline and verbal education” to the employee responsible for the drive. Other employees were reminded of the need to adhere to security policies.
There is no indication in MHS’s letter whether any other Allscripts clients had patient data on the missing backup drive, and I cannot seem to locate any notices online.