RGH Enterprises, Inc. d/b/a Edgepark Medical Supplies (“Edgepark”) is an Ohio medical supplies provider that ships products directly to patients and bills their insurance for them.
Rise Interactive Media & Analytics, LLC (“Rise”) is an Illinois firm that provides digital marketing services for Edgepark as a business associate. They also provide analytics and other services to other clients.
On February 3, Rise notified HHS of a hacking incident. In a notification sent to the California Attorney General’s Office on Edgepark’s behalf, Edgepark wrote that Rise detected an incident on November 14, and on December 2, its investigation determined that a file containing Edgepark data was involved in the breach. Rise notified Edgepark on December 5.
The file potentially involved included patients’ names, email addresses, phone numbers,
provider information, diagnoses, expected delivery dates, and health insurance information.
Edgepark published a link on the home page of its website to a notice posted on Rise’s website about the Edgepark data. There is no notice on Rise’s homepage about any incident.
It is not clear whether any other Rise clients had protected health information involved in the incident.
Rise’s notification to HHS indicated that 54,509 patients were being notified of the incident. It is not clear whether that number is all patients impacted by the incident or if that number is just for Edgepark patients. DataBreaches submitted an inquiry to Rise on February 10 seeking clarification but received no reply.
Edgepark’s letter makes no mention of any complimentary services being offered to those being notified. It states, “Rise has assured us that it will continue to evaluate and modify its
practices and internal controls to enhance the security and privacy of personal information.”