In a refreshingly straightforward breach disclosure, Sentara Health in Virginia reports that on December 19, an anonymous individual called their Compliance Hotline to alert them that while searching for something online, the called had stumbled across an exposed file with patients’ Medicare billing information. Sentara quickly verified the caller’s report and determined that the file had been uploaded to Adobe Acrobat’s site by an employee of a Sentara business associate, Coronis Health. The employee uploaded the billing remittance file on October 17.
The file contained protected health information of patients that included: Medicare ID number, the date of service, Current Procedural Terminology or “CPT” codes, the last four digits of the account number, the location of service (the Sentara Lab), and any outstanding balance on the account.
Coronis reportedly fired the employee. For its part, Sentara is notifying the 741 patients whose data was in the exposed file and is offering them credit monitoring services.
Sentara’s full notice can be found at their website.
Let this also be a reminder of how helpful it is to have a compliance hotline or security hotline on your website that good samaritans can find.