There’s been another addition to HHS’s public breach tool.
Punuru J.M. Reddy, MD, Inc. in Alabama reported a breach involving their billing vendor and business associate, PracMan, Inc. The incident, which affected 1,179 of their patients, reportedly occurred on August 22, 2013 and was added to HHS’s breach tool yesterday.
In a statement issued March 7, 2014 on its website, PracMan, Inc. notes that the breach, caused by a subcontractor’s error while doing computer repairs, also affected patients of Monarch Women’s Health, a now-closed practice formerly associated with Decatur General Hospital. PracMan sent notification letters to their affected patients. The IT subcontractor was not named.
PracMan’s full statement follows:
PracMan Identifies Data Security Breach
Steps Immediately Taken to Minimize Effects
PracMan, Inc. has discovered a data security breach involving patient information, and has notified the affected parties, in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws.
On January 10, 2014, PracMan learned that in August of 2013, while performing repairs on a PracMan computer, an Information Technology subcontractor copied and stored computer files in error to an unsecured server the IT company maintains.
The files contained protected health information (PHI) including, in some instances, patient names, patient account numbers, addresses, telephone numbers, dates of birth, dates of service, and insurance policy numbers. Some files included medical information or payment/refund amounts. Sixty-nine social security numbers were involved.
No credit card information whatsoever was disclosed.
Once discovered, the information was promptly deleted from the server, and PracMan, through its subcontractor, worked with Internet search engines (including Google) to remove links to the data on search engine results pages. PracMan promptly notified its affected healthcare provider clients. HIPAA requires that notices be sent to all patients who were potentially affected by the data breach.
Among PracMan clients involved are Punuru J. M. Reddy, M.D., Inc. and Monarch Women’s Health (a practice that is now closed, and on whose behalf PracMan is sending notices to affected patients).
For all patients whose date of birth and Social Security Number were potentially disclosed, PracMan is providing a year of credit monitoring services at its own expense, including $1 million in identity theft insurance. PracMan President Julian Price, III said the company is reviewing additional modifications to its procedures as a result of the breach.
“We go to great lengths to maintain the security of patient data, and we take that responsibility very seriously. We have worked with our subcontractor not only to remove the data in question, but to understand fully how the breach occurred and to ensure this does not happen again,” Price said.
“We regret any inconvenience this data breach may have caused patients, and we are determined to do everything necessary to prevent any negative impact to patients, including performing certain additional steps not required under HIPAA,” he said.
Patients affected by the breach may contact PracMan at [email protected], or by calling toll-free 1-844-202-5907. Please call any time, Monday-Friday from 8am to 5pm. Additional information will also be posted to this website, as it becomes available.
According to media coverage by Deangelo McDaniel on March 7, a total of about 3,100 patients were affected by the breach, which affected more than just the two named medical practices:
Patients of another 25 to 30 doctors were involved, according to Julian Price III, who owns the Decatur billing company, PracMan Inc., where the breach occurred.
[…]
[A public relations spokesperson] said a patient who searched her name through Google connected to the information on the unsecured server and notified Decatur General on Jan. 10.
Spokeswoman Leigh Hayes said the hospital was aware of the breach. She said PracMan has been “extremely forthcoming” and is doing “everything possible to rectify the situation.”
Reddy’s office on U.S. 31 was closed Friday, and his answering service said he was not available for comment.
Price said about 2,800 patient names involved with the breach contained no information about diagnosis or treatment procedures.
Read more on Decatur Daily.
Overall, I am pretty impressed with PracMan’s transparency about the breach and their efforts to mitigate harm. Their only mistake, perhaps, was not checking periodically to see if any of their files were exposed on the internet.