Cogent Healthcare Contractor HIPAA Error puts Patient PHI in Search Engines

Cogent Healthcare has issued a statement announcing that M2ComSys, a contractor used for transcription services, was responsible for a HIPAA breach that exposed the data of 32,000 patients across America. The data breach not only left medical information accessible to unauthorized third parties, but it also saw some of that protected health information indexed by Google. This is the second reportable HIPAA data breach suffered by Cogent Healthcare, according to the Office for Civil Rights.

The security breach occurred between May 5, 2013 and June 24, 2013, with data being made available due to a firewall not being activated. Without the firewall in place there were no restrictions as to who could access the data, which violates HIPAA Privacy and Security Rules. The data included personally identifiable information, medical record numbers, medical histories and patient contact details, although there were no Social Security Numbers present in the data.

M2ComSys was employed to transcribe notes made by physicians and held the data on what it believed to be a secure server, although the firewall was not active and no check was made by the company to ensure this was the case before moving the data. Cogent Healthcare has now terminated its relationship with M2ComSys.

The security breach was discovered by Cogent Healthcare, which took rapid action to mitigate any damage caused. The healthcare company rapidly ordered the server to be taken offline to stop unauthorized access, and also took physical control of the hardware. Since some data had been accessible through the search engines, Cogent contacted Google to ensure it was removed and is in the process of ensuring that all information has been de-indexed and taken out of the search engines.

Cogent rapidly alerted its customers to the breach and advised them of the steps that they should take to protect their identities in light of the disclosure of ePHI. Each has been offered credit protection services for a year, which will be provided by Experian. This includes a credit report, ProtectMyID Alerts and protection against identity theft.

The company will also be undertaking a number of measures to ensure that incidents such as this data breach are not allowed to occur in the future. An apology was issued to all customers stating “Our organization takes information security and patient privacy very seriously. We deeply regret this situation and any inconvenience this may cause our hospital partners and their patients.” The incident has also been reported to the OCR.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.