Well, this is a bit different. Lafayette Pain Care, PC in Indiana notified HHS on May 9 about hacking/IT incident that affected 7,500 patients.
In trying to track it down (there’s nothing that I could find on their web site), I came across a media report from May 10 that links this to the Bizmatics, Inc. incident that I’ve covered on this blog as I’ve become aware of clients disclosing the incident to their patients.
But unlike other notifications/clients, Lafayette Pain Care seems to be telling their patients that their data was not accessed at all.
Ron Wilkins reports:
Hackers probed the computer servers of a business that houses the electronic records of Lafayette Pain Care, but the electronic snoops were unable to access any records, said Dale Krynak, the pain care facility’s chief operating officer.
“We buy our electronic health record system from a provider in California, Bizmatics,” Krynak said. “At or around the first of the year, they learned that someone had tried to hack into their system.”
An investigation that included the FBI determined in March that the system had not been compromised, Krynak said.
If that’s the case, why are they reporting this?
Federal rules, however, require Lafayette Pain Care to publish an announcement about the investigation into a possible hacking attempt and state the following information:
- The pain care center recommends patients review their forms to confirm the accuracy of included listed services.
- In the event of unauthorized activity, Lafayette Pain Care recommends patients submit a complaint to the Federal Trade Commission by calling 877-438-4338 or online at www.ftcomplaintassistant.gov.
- A Redemption Code for credit monitoring services will be available to our verified patients who may have been affected.
Excuse me while I go scratch my head. If the forensics and FBI said that the system hadn’t been compromised, why is this reportable under HITECH??