Current Risk of Fraud from 2012 Philadelphia Ambulance HIPAA Breach

This week the Philadelphia Fire Department reported a data breach involving 750 individuals who had used the ambulance service in 2012. Three years ago an employee of Intermedix, the company it used to handle the Fire Department’s data needs, had been given access to records; however one employee used his data access privileges to steal financial data of patients. The data was stolen in order to file fraudulent tax returns according to an investigation launched soon after the discovery of the breach.

The employee responsible is now in prison, and at the time it was deemed that the information had not been sold on or used inappropriately. However, earlier this year, law enforcement officers in Florida found a sheet of data in the possession of an individual which contained billing records of patients who had used the Philadelphia Ambulance Service. Upon investigation it was discovered that approximately 750 patients had their financial information exposed and potentially sold on. The persons affected were those who had used the service on April 1 or April 2, 2012.

The Fire Department issued a statement saying that all of the patients affected by the data breach have been notified by mail that their billing information may have been compromised. It was confirmed that the information is limited to billing details and no healthcare data was compromised in the incident.

While it is clear that the data breach involved the records of ambulance passengers who used the service for two days in April, the Fire Department could not rule out the possibility that access was gained at other times and other data could have been stolen. It has said that any patient who used the ambulance service between Feb. 1 and Sept. 4, 2012 could also potentially be at risk.

However, according to the breach report submitted to the Office for Civil Rights, the City of Philadelphia Fire Department Emergency Medical Services Unit reported that 81,464 records were compromised. It is not clear at this stage whether this was a separate breach, or a reassessment of the number of victims after its investigation had been completed.

Since it is clear that the data has either been sold or passed on, there is a risk that the data has already been used for fraudulent purposes, especially considering the incident occurred more than three years ago. It is therefore important that credit reports are obtained and all individuals receiving a breach notification letter should contact the IRS to obtain information on tax returns that have been filed and check for any fraudulent activity.

All recipients of a breach notification letter are being offered credit monitoring services free of charge, in addition to fraud resolution services if any information has already been used by criminals to obtain benefits, products or services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.