The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

655,000 Bon Secours Patients Notified of Potential PHI Breach

Posted By on Aug 16, 2016

Bon Secours Health System is in the process of notifying 655,000 patients that some of their protected health information was exposed as a result of an error made by one of its business associates.

The error was made by Arizona-based reimbursement optimization firm R-C Healthcare Management. Network settings were reconfigured between April 18 and April 21; however, an error was made that allowed files containing PHI to be accessed via the Internet. The configuration error was discovered by Bon Secours on June 21, almost two months later.

Bon Secours notified R-C Healthcare Management of the error and prompt action was taken to ensure that files were secured. It is unclear whether PHI were accessed, although Bon Secours has said the vulnerability has now been addressed and PHI has been secured. No information has been received to suggest that any patient data were misused in any way.

The files contained the names of patients, banking information, insurer names, insurance ID numbers, Social Security numbers, and some clinical data. No medical records were accessible at any point, although up to 600 individuals also had their lab test results exposed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

437,000 of the affected patients are Virginia residents, the other patients reside in Kentucky, South Carolina, or New York. After being notified of the breach, R-C Healthcare Management hired a computer forensics firm to investigate the incident and an internal investigation was launched by Bon Secours. The investigations took two months to complete, hence the delay in issuing breach notification letters to patients. Those letters started to be mailed to patients on August 12.

All patients affected by the security incident have been offered a year of credit monitoring and identity theft protection services without charge. Steps have also been taken by Bon Secours to reduce the risk of similar incidents occurring in the future. Bon Secours President and CEO Richard Statuto issued a statement saying “We are working with all of our vendors to reinforce our high standards and expectations regarding privacy and security of information.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist