HealthSource of Ohio, a private, not-for-profit community health center experienced a privacy breach in November 2013 that affected 8,845 patients. The incident was added to HHS’s public breach tool this week.
According to a statement posted on their website on or after February 26th, HSO uses a web-based program to provide information to patients calling with billing questions. On December 24, however, they discovered that file information from 2004 through 2013 had been unprotected and available to unauthorized individuals searching the Internet from November 18, 2013 through December 24, 2013.
HSO disabled the site access and immediately secured the information so that it can only be accessed by qualified HSO staff.
The unsecured file contained demographic and personal identifying information such as names, account numbers, addresses and phone numbers. Additional information such as dates of birth, social security numbers, credit card numbers and some limited healthcare information appeared in some individual call entries. HSO’s investigation showed that the file was viewed 47 times.
“The privacy and security of patients’ personal and healthcare information is very important to HSO. Individuals who called HSO’s patient accounting staff during the time period above with questions about their account should examine their personal and financial information, such as credit card accounts and accounts with financial institutions for unusual or unauthorized activity. Patients can contact HealthSource of Ohio toll-free at 1-800-495-7647 for further information,” HSO told those affected.
In its submission to HHS, HSO listed Pair Networks as the business associate, but that does not mean that the breach was due to any error on Pair Networks’ part. It may simply have been reported because that’s where the file was hosted. Pair Networks’ terms of service in their contract makes account security the sole responsibility of the customer.