The Center for Autism and Related Disorders (“CARD”) has locations throughout the U.S. On January 24, it experienced a reportable breach when “as part of a recent update to its patient billing systems, the third-party vendor responsible for generating patient invoices incorrectly made a computer error which resulted in certain caregivers receiving an invoice for services for an unrelated patient.”
The number of patients affected was not disclosed, but CARD reports the problem was confined to January 2023 billing statements for patient cost-sharing amounts. The incident does not appear on HHS’s breach tool at publication time.
The type of information involved reportedly included:
patient name, CARD internal reference number and payment history (insurance payments, patient payments, adjustments, account balance). No credit card, debit card, or banking information was revealed. Further, no personally identifiable data such as social security number, address, phone number, or email address were revealed.
In their notification letter, CARD describes their response to the incident. But there’s also this statement:
What You Can Do
To the extent that you were one of the families who received the incorrect patient statement, we would kindly ask that you destroy the document by completely shredding it and properly disposing of it in your trash receptacle.
How many recipients of the wrong statement have shredders in their homes? Does CARD’s incident response to this aspect of the breach seems sufficient, or should they have done something more or differently?