Cardiac biotelemetry firm BioTel seems to be issuing public notices about a data leak incident first reported on this site in August, 2020. The data were only secured when Amazon was contacted by a researcher and asked to reach out to their customer to secure the data. Neither BioTel nor its vendor had responded to attempts by the researcher or this site to notify them of the leak, and by three months later, still had not acknowledged notifications or any incident. In November, DataBreaches.net filed a watchdog complaint with HHS against both the covered entity and the business associate, still not knowing whose bucket it was.
BioTel disclosed the leak to patients and to HHS in March, claiming that they first discovered the breach in January (when they read this site’s August reporting on the incident). Their notification indicated that they had terminated their relationship with the vendor, and it seemed clear that they were claiming that the vendor never notified them of the incident after discovering it in August.
To date, OCR’s investigation of the incident, which incorporates this site’s watchdog complaint appears to still be open.
So did BioTel continue investigating and discover more patients who needed to be notified? It’s possible. There’s really nothing new in their latest public notice that appears below the separator.
As an update: DataBreaches.net never did hear back again from BioTel after their lawyer called this site in February to ask how we had attempted to notify them.
MALVERN, PA, June 2, 2021 – BioTel Heart (the “Company”), a division of BioTelemetry, Inc., has announced that on January 28, 2021, it learned that a vendor failed to secure certain patients’ personal information that was stored online. The Company immediately took steps to investigate and respond to the incident. The investigation revealed that the information involved may have been publicly accessible between October 17, 2019 and August 9, 2020. There is no evidence to date that the information has been misused as a result of this incident. The affected personal information may have included patient names, contact information, dates of birth, medical information relevant to remote cardiac monitoring services (including the name of the prescribing physician, and patients’ diagnoses, diagnostic tests, and treatment), and health insurance information. The records may have also included Social Security numbers, although the Company does not request or require Social Security numbers from the physicians who order its services. The Company notified all those affected patients for whom it had current contact information and arranged to provide identity protection services including credit monitoring at no charge to all affected patients for two years. Individuals who did not receive notification but believe their information may have been affected can call 855-654-0879 toll-free for additional information, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time (closed on U.S. observed holidays). Published in The Gazette June 4, 2021
Update: OCR eventually closed their investigation without any further action against the entity. HHS’s public breach tool lists the incident as impacting 38,575 patients.