EqualizeRCM Services is a vendor providing billing and collection services to healthcare providers. In compliance with HIPAA, it has Business Associate contracts with its clients, who provide it with the information needed to fulfill its functions. The firm has headquarters in Austin, Texas, and offices in Houston and Washington, D.C.
On February 29, EqualizeRCM learned that a laptop had been stolen from an employee on February 25 or 26. A notification letter, signed by Janine Anthony Bowen of LeClairRyan to the New Hampshire Attorney General’s Office, does not indicate whether the laptop was stolen from the employee’s home, a car, or some other location.
An investigation revealed that some patients seen at the following providers had information on the stolen laptop:
- Northstar Healthcare Surgery Center (Scottsdale, Houston, Dallas)
- Microsurgery Institute (Houston, Dallas)
- Hermann Drive Surgical Hospital
- Victory Medical Center Houston
- Central Dallas Surgery Center
- Southwest Freeway Surgery Center
- Kirby Surgical Center
- Plano Surgical Hospital
In a statement posted on their web site on April 28, EqualizeRCM explained that
the information potentially exposed may have included patient name, address, phone number, date of birth, gender, insurance provider and policy number, health care provider information, billing and diagnosis codes, medical record number, internal reference number, date and type of service, the name of the treating facility, and other administrative information.
Financial account information and Social Security numbers were not impacted, and as of April 28, neither EqualizeRCM nor its clients were aware of any misuse of the information. As a precaution, however, EqualizeRCM is offering affected patients services through AllClear ID.
Some of the affected entities appear to have posted copies of EqualizeRCM’s notice on their web sites to alert their patients to the incident.
In addition to offering remediation services, EqualizeRCM is also reviewing its policies and procedures, implementing additional safeguards to ensure information in its control is appropriately protected, and “retraining employees on existing policies for the proper handling of sensitive information.”
The total number of patients notified was not disclosed, and this incident does not yet appear on HHS’s public breach tool.
Updated May 10: Northstar reported this to HHS on April 28 as affecting 19,898 patients. We still don’t know the other entities’ numbers or the total.