655,000 Bon Secours Patients Notified of Potential PHI Breach

Bon Secours Health System is in the process of notifying 655,000 patients that some of their protected health information was exposed as a result of an error made by one of its business associates.

The error was made by Arizona-based reimbursement optimization firm R-C Healthcare Management. Network settings were reconfigured between April 18 and April 21; however, an error was made that allowed files containing PHI to be accessed via the Internet. The configuration error was discovered by Bon Secours on June 21, almost two months later.

Bon Secours notified R-C Healthcare Management of the error and prompt action was taken to ensure that files were secured. It is unclear whether PHI were accessed, although Bon Secours has said the vulnerability has now been addressed and PHI has been secured. No information has been received to suggest that any patient data were misused in any way.

The files contained the names of patients, banking information, insurer names, insurance ID numbers, Social Security numbers, and some clinical data. No medical records were accessible at any point, although up to 600 individuals also had their lab test results exposed.

437,000 of the affected patients are Virginia residents, the other patients reside in Kentucky, South Carolina, or New York. After being notified of the breach, R-C Healthcare Management hired a computer forensics firm to investigate the incident and an internal investigation was launched by Bon Secours. The investigations took two months to complete, hence the delay in issuing breach notification letters to patients. Those letters started to be mailed to patients on August 12.

All patients affected by the security incident have been offered a year of credit monitoring and identity theft protection services without charge. Steps have also been taken by Bon Secours to reduce the risk of similar incidents occurring in the future. Bon Secours President and CEO Richard Statuto issued a statement saying “We are working with all of our vendors to reinforce our high standards and expectations regarding privacy and security of information.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.