Usually when I see an envelope from NRAD Medical Associates, P.C. in my mail, it concerns a radiology bill or insurance matter following services there. But today, I opened the envelope to find a breach notification.
Their notification, signed by their president, vice-president, and secretary-treasuresr, begins with the now somewhat pro forma statement about how they are seriously committed to the privacy and security of their patients’ information, which is why they want us to know of a security concern. Of course, at least part of the reason they are letting us know is because under HITECH, they have to. In any event, let’s get to the guts of their notification:
On or about April 24, 2014, it was discovered that an employee radiologist accessed and acquired protected health information from NRAD’s billing systems without authorization. This included some personal information, including patient names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes.
They do not indicate when the breach occurred or how it was discovered.
NRAD states that they have
no evidence that the information has been disclosed to or used by any third parties and have no evidence that your credit card, banking or other financial information was accessed. We believe there to be low risk to this incident, but any risk is unacceptable.
In response to the discovery, NRAD “immediately implemented enhanced security measures,” and recommended that patients contact one of the three major credit bureaus to place a fraud alert on credit reports.
They also established a toll-free number, and posted a copy of the notification and an FAQ on their web site.
In the FAQ, they state that the radiologist is “no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation.” The breach was also reported to HHS.
A call to their hotline requesting a police report number and asking how the breach was discovered required the hotline representative to forward my inquiry to others, who have yet to return my call after a few hours, so it is not clear whether they even reported this matter to the police. If they do return the call, I’ll also inquire as to when the breach occurred, and will update this post.
In terms of the scope of the breach, NRAD reports that it affects approximately 97,000 current and former patients, which they state is approximately 12% of the more than 800,000 patients they have treated over the past 20 years. It was not clear from their letter whether all 800,000 current and former patients’ information was still in their billing system (and if so, why). I asked the hotline representative whether there were 800,000 patients’ information in their billing system and she said there was. I hope the hotline representative was wrong about that.
NRAD did not offer affected patients any free credit monitoring services. Given the types of personal information acquired, their failure to offer some free services is somewhat surprising and may come back to bite them in the way of lawsuits from unhappy patients who may now be worried about identity theft. Credit monitoring wouldn’t prevent medical identity theft, of course, and the notification letter does not suggest patients check their explanation of benefits statements from their insurers, so I’ll suggest it.
As a patient of NRAD, I have always been very happy with their medical services, and after a decade or more of reporting on breaches, I realize that pretty much any covered entity can experience a breach. But I also have enough experience to recognize when an apology, however sincere, and “we’ve implemented enhanced security measures” are not enough in the way of mitigation. NRAD can and should do better.
NOTE: updates to this post will appear on the mirrored post on DataBreaches.net. The breach is starting to get local media attention, as I’ve been contacted by both NBC and ABC today.
Several years ago, the company I worked for was informed that our Oxford Insurance along with Oxford members throughout Long Island had their personal data stolen. Oxford gave every member affected (which numbered in the thousands) a year of free online security, which to this day I have kept on my own, as it has proven to be an extremely valuable tool to protect my credit, especially from identity theft. With the breach at NRAD, maybe they should have been a little more proactive and saved the apology.
I don’t recall any breach involving Oxford Insurance from a few years ago. Would you be kind enough to email me at admin[at]phiprivacy[dot]net with some details on what happened back then?