On October 4, Memorial Hospital of Lafayette County in Wisconsin posted this notice on their site:
On August 6, 2013 Memorial Hospital of Lafayette County discovered a potential breach of unsecured patient health information involving financial statements that were inadvertently sent to some third parties. While most of the approximately 8,000 notices mailed were sent to the patients themselves or their authorized representatives, in some cases they may have been mailed to third parties who were not authorized to receive the information. Accordingly, in an abundance of caution, Memorial Hospital of Lafayette County is treating this incident as a breach and has provided appropriate notice to patients. There is a small number of patients for whom the hospital does not have current contact information. For those patients, this notice will constitute notification of the breach.
Memorial Hospital of Lafayette County contracts with an outside vendor to generate billing statements for our patients. Due to an erroneous setting in the vendor’s system, the system generated a number of “zero balance” or “aged account balance” statements relating to care provided at the hospital since 2001. These statements were sent to the individual responsible for paying the bill, at that individual’s last known address. Sometimes the person receiving the statement was the patient, and sometimes it was not. Some of the statements unfortunately relate to individuals who no longer reside at the mailing address or who are deceased.
The statements did not contain sensitive or detailed information. In fact, the only information relating to treatment at the hospital is the patient’s name and account number, date(s) of service, and the charges associated with each date of service. The statements also included the name, address and identification number for the guarantor on the account. Other personal information, such as social security number, date of birth, and specific health conditions, were not included in the disclosure.
Upon discovering the incident, Memorial Hospital of Lafayette County took immediate action and began investigating. The outside vendor has already corrected the erroneous setting that caused the inadvertent mailing of statements. Going forward, hospital patients, representatives and guarantors will receive an account statement only if there is a balance owed, or if the account was paid to zero since the last statement.
The hospital also immediately published a prior notice in the local newspaper and in the hospital’s newsletter, informing the public that information was sent in error, and requesting that the documents not be opened. Anyone in possession of such a mailing is requested to contact the hospital so that we can arrange to have it retrieved and ensure appropriate disposal.
If you believe your information may have been disclosed, but did not receive written notice from Memorial Hospital of Lafayette County, please call this toll free number 1-877-615-3759.
Memorial Hospital of Lafayette County places an extremely high priority on privacy and security of health information and regrets that this incident occurred.