In doing some of my weekly investigating, I discovered that OCR seems to have closed its investigation into the Bizmatics, Inc. breach that affected an untold number of PrognoCIS customers and their patients. At last count, I think we knew about almost 300,000 patients that were notified of an incident where Bizmatics could not even determine whether patient records had been accessed or not.
But as part of its investigation into Complete Family Foot Care’s report, OCR noted in closing its investigation:
Bizmatics, Inc., a business associate (BA) that the covered entity (CE), Complete Family Foot Care, employs for the online storage and management of its patient health records, discovered an unauthorized access to the computer servers on which the CE’s’s patient files were stored. The breach affected 5,883 individuals and included clinical information. Upon request of the CE, the BA provided breach notification to affected individuals and complimentary identity recovery services for individuals victimized by identity theft. The CE also provided breach notification to HHS and the media and posted substitute notice on its website. Following the breach the BA comprehensively scanned for malware and any external vulnerabilities, upgraded all anti-virus and anti-malware programs as well as system hardware and operating systems, updated server and account passwords, and revised its firewall configurations. The BA also implemented stricter password policies and initiated the installation of an active traffic-monitoring solution for its network. OCR obtained written assurances that the CE and BA implemented the corrective actions listed above.
Given that the investigation appears closed – and I do think the changes Bizmatics made sound appropriate – we may never find out how many patients, total, were notified of this incident.
Did I ever mention I hate not knowing things? If anyone actually knows what the total count was for this incident, please get in touch. Whistleblowers welcome.