As part of its ongoing commitment to privacy and data security, AltaMed Health Services is notifying affected individuals of a recent incident that may affect the security of their personal and protected health information.
The organization learned from local law enforcement of an ongoing criminal investigation of a former AltaMed temporary employee, and other individuals unaffiliated with the organization, on suspicion of identity theft on June 30, 2014. No arrests have been made and law enforcement’s investigation is ongoing; however, law enforcement disclosed it recovered a hard drive and other evidence during its investigation, that this hard drive and evidence may include the organization’s records, and that it believes this information may have been misused by participants in the identity theft ring currently under investigation.
Upon learning of this, the organization launched an internal investigation into the matter to determine what AltaMed records this individual may have accessed during her employment. The organization retained information privacy and data security legal counsel to assist with its investigation. This investigation is ongoing.
The organization’s investigation has thus far revealed this employee may have accessed electronic and paper records relating to individuals that attended one of its community events in Orange and Los Angeles Counties between October 24, 2013 and June 6, 2014. The employee was hired on a temporary basis to assist the organization in its response to the recent influx of health care enrollments. During this investigation, the organization confirmed this individual did not have access to patient medical or billing records, and only had access to records and documents that were primarily used for marketing purposes. These records contain a combination of one or more of the following: name, email address, telephone number, Social Security number, provider information, insurance information, date of birth, and address.
The organization takes the security of personal and protected health information very seriously and is undertaking efforts to mitigate the risk of this happening again. On August 29, 2014, the organization will issue notice of this incident to those 2,995 individuals with marketing records accessed by this employee during her employment and for whom it has sufficient address information. Additionally, the organization is issuing this press release and conspicuously posting notice of this incident on its website. The organization is providing notice to the California Department of Health, the California Attorney General’s office, and the U.S. Department of Health and Human Services, as well. Should the organization’s ongoing investigation reveal additional individuals potentially affected by this incident, it will issue notice to these individuals as well.
The organization encourages individuals to remain vigilant, to review account statements, and to monitor credit reports and explanation of benefits forms for suspicious activity. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. This free credit report can be obtained by visiting www.annualcreditreport.com or calling, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.
At no charge, individuals can also have these credit bureaus place a “fraud alert” on their file that alerts creditors to take additional steps to verify their identity prior to granting credit in their names. Note, however, that because it tells creditors to follow certain procedures to protect individuals, it may also delay their ability to obtain credit while the agency verifies the individual’s identity. As soon as one credit bureau confirms an individual’s fraud alert, the others are notified to place fraud alerts on that individual’s file. Any individual wishing to place a fraud alert, or who has any questions regarding their credit report, can contact any one of the following agencies: Equifax, PO Box 105069, Atlanta, GA 30348, 800-525-6285, www.equifax.com; Experian, PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, PO Box 2000, Chester, PA 19022-2000, 800-680-7289, www.transunsion.com. For information about medical privacy rights, individuals may visit the website of the California Department of Justice, Privacy Enforcement and Protection Unit at www.privacy.ca.gov.
Individuals can also further educate themselves regarding identity theft, and the steps they can take to protect themselves, by contacting their state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. Individuals can also further educate themselves about placing a fraud alert or security freeze on their credit file by contacting the FTC or their state’s Attorney General.
The organization has established a confidential inquiry line, staffed with professionals trained in identity and credit protection and restoration, and familiar with this incident and the contents of this notice. This confidential inquiry line is available Monday through Saturday, 6:00 a.m. to 6:00 p.m. P.S.T. at 877-579-2263.
SOURCE: AltaMed
Updated: A copy of their notification letter to patients has been uploaded to the California Attorney General’s site (pdf)
Update2: This incident was added to HHS’s public breach tool on Nov. 7, 2014.
Why would a Social Security Number be part of information “primarily used for marketing purposes”? Also, age would be more appropriate than date of birth for marketing purposes. The information available in the marketing data seems to be significantly outside of the minimum necessary requirement of HIPAA. If the information was used for enrollment, including the SSN and DOB would be more appropriate. In addition, is the insurance information just their insurance company’s name or did it include more detailed insurance information that could be used for medical ID theft?
Interestingly, the notice to patients indicates that the individual records and “among those records was a record containing your name, {Client_Def1} and your address”. That indicates significantly less information exposure than the original notice indicates. More information on “{Client_Def1}” may have been beneficial to patients.