There’s a follow-up to a lawsuit noted previously on this site, and I think it will be of interest to those interested in healthcare sector breaches.
John Murawski reports:
WakeMed Health and Hospitals will soon notify thousands of patients that their personal and medical information was disclosed in court filings over six years.
A federal bankruptcy court in Raleigh ordered the Raleigh hospital to send out the letters and to offer each patient one year of free credit monitoring. The court last month fined WakeMed $70,000 for disclosing Social Security numbers, birth dates, addresses, the full name of at least one minor, and other patient records in claims it had filed in federal bankruptcy courts to collect unpaid medical bills. WakeMed had disclosed the identifying patient information from 2007 to 2015.
Read more on The News & Observer, while I just marvel that a court ordered them to notify patients, to provide credit monitoring, and to pay a fine.
I wonder what HHS/OCR did in response to this situation. Was it even reported to HHS? There’s nothing on the public breach tool, and yet the news report says that there were thousands of patients affected. So where is the report on the breach tool? Does WakeMed think this wasn’t a reportable breach under HIPAA or HITECH, or is HHS just late in posting some submission?
DataBreaches.net has received no response to inquiries sent to WakeMed yesterday through its site. This post will be updated if more information becomes available.