Although it’s flown under the media’s radar so far, CCS Medical has notified states, law enforcement, HHS, and the IRS that an employee may have accessed and disclosed customers’ and patients’ Social Security numbers for a tax refund fraud scheme.
And yes, this took place in Florida.
Interestingly (to me, anyway), the dates of possible improper access overlap with the time frame for the ADPI breach where an insider was providing ambulance patient data to others for a tax refund fraud scheme. In ADPI’s case, the improper conducted occurred on June 1; for CCS Medical, it would have occurred between May 1 and September 21. In ADPI’s case, however, the firm found out via law enforcement. In this case, another employee brought the concern to management, who started their own internal investigation and contacted relevant authorities.
As of December 10, when CCS Medical’s attorneys notified the New Hampshire Attorney General’s Office, the firm had not yet conclusively determined whether the improper access and disclosure had occurred or not, but they note that the employee would have had access to names, dates of birth, phone numbers, Social Security numbers, Medicare or insurance policy numbers, secondary insurance information, and details on products or services ordered from CCS Medical.
Notification letters were sent to those possibly affected on December 7.