HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Centegra Data Breach Exposes PHI of 3,000 Patients

A mailing error caused a recent Centegra data breach that exposed a limited amount of Protected Health Information of 2,929 of the Health System’s patients.

Business Associate Responsible for Centegra Data Breach

Centegra Health System operates three hospitals and a number of other healthcare facilities in McHenry County, Illinois. Recently it discovered that one of its third party vendors had made an error that accidentally exposed the PHI of some of its patients.

The data breach was caused as a result of a simple error made by an employee of MedAssets. The company had been contracted to mail billing statements to patients.  An error was made configuring the equipment used to prepare the mailing, which resulted in patients being sent two billing statements instead of one. One of the statements was correct and included patients’ personal data and charges, the other statement was for a different patient.

Each envelope was filled automatically and was mailed. 2,929 letters were sent to patients by MedAssets between November 2 and Nov 6, 2015. Centegra was notified of the data breach on November 10; 8 days after the mailing run was started.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The billing statements included data classed as Protected Health Information under HIPAA Rules. That data included patient names and addresses, their account numbers, service dates, service summaries, original account balances, third party payment information, the amount owed by patients, and other charges that had been applied to accounts.

Centegra has not received any reports of data being used inappropriately, although the incident is a serious breach of patient privacy. Due to the risk of data being used for fraudulent purposes, all affected patients have been offered a year of credit monitoring services without charge.

Some recipients of the billing statements have already contacted Centegra to advise the health system of the mailing error, and they have been instructed to securely dispose of the statements that had been sent to them in error. Letters have been mailed to all affected individuals to advise them of the error: 3,000 recipients of the statements have been notified by mail to destroy the statement they received in error, and the 2.929 patients who had their PHI exposed have been alerted to the exposure of their PHI. They have also been provided with information that will enable them to mitigate risk of identity theft and fraud.

Centegra Health System has taken the decision to appoint a new vendor to deal with its mailings in the future, although MedAssets will continue to be used for insurance billings. The change of vendor will take place when Centegra changes over to its new “Centegra One Bill” billing system in a few weeks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.