CommonSpirit Health, one of the country’s largest nonprofit health systems, convinced a federal judge in Texas to order a medical technology vendor to return hundreds of thousands of medical records it was sent to archive.
The US District Court for the Northern District of Texas’s order directs Emerge Clinical Solutions LLC to return all protected health information and other data in its possession; verify the destruction of all PHI and other data that can’t be returned; and complete and return the “Certificate of Return or Destruction of Protected Health Information,” in accordance with the parties’ agreement.
Read more at Bloomberg Law (sub. req.)
Looking at the court filings, it appears that CommonSpirit had a business associate agreement with Emerge Clinical Solutions to perform some projects for them. In late September, CommonSpirit found that there were some data extraction errors in Kentucky made by Emerge and sought their correction. According to the court filing:
Plaintiff immediately contacted Defendant to request that Defendant correct the errors. Defendant initially and generally responded to Plaintiff’s concerns on September 28, 2022. This was the last contact between Plaintiff and Defendant, despite Plaintiff’s continued efforts.
Plaintiff has made attempts to reach out to its contacts with Defendant and all such attempts have been unsuccessful. Further, the general phone line listed on Defendant’s website has been disconnected.
Upon information and belief, Defendant stopped paying its employees and contractors in September of 2022.
Emerge allegedly was in possession of files on hundreds of thousands of patients. CommonSpirit sought an injunction from the court, whose order noted that Emerge never responded by the deadline the court had imposed.
It is not clear whether this problem with Emerge had any bearing at all on recovery from the ransomware attack CommonSpirit experienced. DataBreaches has sent an inquiry to CommonSpirit asking them whether this was a totally unrelated situation, but no reply has been received as yet.
Update: CommonSpirit sent the following statement:
CommonSpirit hired Emerge Clinical Solutions to perform certain Information Technology support services. When Emerge failed to respond to our inquiries regarding its safekeeping of certain CommonSpirit data, CommonSpirit sought an injunction for return or destruction of that data.
At this time, we have no reason to believe any data has been subject to any unauthorized access, use or disclosure, and the majority of records entrusted to Emerge have been successfully returned.
This incident is unrelated to the recent cyberattack experienced by CommonSpirit Health.