Mercy Health Lorain Hospital Laboratory patients notified of HIPAA breach due to contractor invoice printing error

Although no actual or attempted access or misuse of patient or guarantor information has been discovered, RCM Enterprise Services, Inc. (“RCM”) is providing notice to certain individuals regarding an error in the invoice mailing process that caused individually identifiable information to appear in the clear address “window” on medical invoices.  RCM provides patient billing services to Mercy Health Lorain Hospital Laboratory (“Mercy Lab”) as its business associate.

“We take this incident, as well as information privacy and security, very seriously, and have enhanced our procedures in order to prevent the occurrence of a similar incident,” said Barbara Shaub, Director, Revenue Cycle Management of RCM.

On or around November 7, 2019, RCM advised Mercy Lab that batches of medical invoices created and mailed by RCM’s contracted mailing vendor were printed incorrectly.  Instead of the name, street address, city, state, and zip code of the patient (or his/her guarantor) appearing in the clear address “window” of the envelope, what actually appeared were names, street addresses, and Social Security numbers.  In other words, in the space where a city, state and zip code would normally appear was a Social Security number.  The erroneous materials were sent out by RCM’s contracted mailing vendor between August 14, 2019 and October 16, 2019.

Upon learning of the incident, RCM immediately launched an investigation to determine the nature and the scope of the incident.  As part of the investigation and in preparation for making notice to impacted individuals, RCM undertook a comprehensive review of the invoices that were mailed, and the processes employed by RCM’s contracted mailing vendor during the invoicing process.

Neither RCM nor Mercy Lab has discovered that any actual misuse of the Security Numbers has occurred.  In compliance with law, RCM is contacting all individuals impacted by this incident, including a description of the event and proactive steps that can be taken to safeguard one’s personal information.   These steps include:

• Enrolling to receive the complimentary credit/identity monitoring and restoration services that RCM is offering to those impacted by the event.  Instructions on how to sign up for the services are included in the January 6, 2020 notice from RCM.
• Monitoring financial statements carefully, and promptly contacting the appropriate financial institution upon detection of suspicious or unauthorized activity.
• Monitoring credit reports and Social Security benefit reports for suspicious activity.
• Placing a fraud alert or security freeze on one’s credit file.
• Contacting the FTC, one’s state Attorney General, or law enforcement, to obtain more information about protection against identity theft and to report suspicious or unauthorized activity impacting one’s identity and/or credit.
• Reporting incidents of suspected or actual identity theft or fraud to the FTC, one’s state Attorney General, or law enforcement.
• Monitoring for misuse of one’s Social Security Benefits.

RCM has established a dedicated call center for individuals to contact with questions or concerns.  This dedicated call center can be reached at 833-991-1537 (toll-free), Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern Time, excluding national holidays.

Source: RCM