Ambucor Health Solutions Breach Impacts 2,500 Greenville Health System Patients

Approximately 2,500 patients of Greenville Health System in South Carolina have been affected by a privacy incident involving one of the health system’s vendors: Delaware-based Ambucor Health Solutions.

Ambucor Health Solutions provides a remote-monitoring labor service for cardiac devices. According to the substitute breach notice on the Greenville Health System website, a former Ambucor Health Solutions employee downloaded some electronic protected health information from the company prior to leaving employment.

The data were downloaded without authorization, although two flash drives containing patient data were subsequently turned over to law enforcement, which notified Ambucor Health Solutions in July this year.

The data on the storage devices were discovered to contain a range of ePHI of patients of GHS’ Carolina Cardiology Consultants. Approximately one fifth of cardiac-monitored patients were affected by the privacy breach.

The data on the devices included the names of patients, their dates of birth, phone numbers, home addresses, race, prescribed medications, medical diagnoses, patient ID numbers, testing data, Ambucor enrollment numbers and enrollment dates, physicians’ names, Ambucor technicians’ names, the locations where patients were being seen, and details of the medical device that had been fitted – including model numbers, serial numbers, and id numbers. Only one patient’s Social Security number was present on the storage devices. No financial data, Medicare/Medicaid numbers, debit or credit card numbers were copied to the devices.

While the incident was discovered in July, it took until late September 2016 for Ambucor Health Solutions to complete a detailed forensic analysis of the storage devices. However, it has taken a further two months for patients to be notified of the breach.

According to the breach notice on Greenville Health System’s website – dated November 4, 2016 – “Letters with instructions about activating the free identity protection services will be mailed to affected patients next week.” Patients will be offered one year of identity theft protection services and a $1 million identity theft insurance policy “out of an abundance of caution.”

Greenville Health System has confirmed that “Any third party that handles GHS patient information must contractually agree to implement and maintain adequate physical, technical and administrative safeguards to protect the confidentiality of that information.” Ambucor Health Solutions has committed to take steps to prevent future breaches of this nature. Those steps include “a thorough review of and updates to all HIPAA security processes.”

A breach report submitted to the Department of Health and Human Services’ Office for Civil Rights on July 22, 2016 by Ambucor Health Solutions indicates the company experienced an “Unauthorized Access/Disclosure” incident involving email and an “other portable electronic device.” The breach report indicates 1,679 individuals were impacted. It is unclear whether this latest announcement is a separate breach or whether the investigation revealed more records were copied than was originally thought.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.