Data Breaches Reported by Hopscotch; Athenahealth; Central Resources
Hopscotch Health Management has learned that a bad actor accessed the physical records of almost 5,000 patients. Data breaches have also been reported by the EHR vendor athenahealth and the debt collection company Central Resources.
Hopscotch Health Management
Hopscotch Health Management in Illinois has recently reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 4,945 patients. Unauthorized access to physical records was detected by Hopscotch on August 27, 2024. The records contained information about patients of Cannon Family Health, which now operates as Hopscotch Primary Care, and specifically patients who received healthcare services at its primary care facility at 6 Brooklet Street in Asheville, NC.
A bad actor with no affiliation with Hopscotch accessed the physical records. Law enforcement provided access to some of the impacted records on September 19, 2024, and Hopscotch confirmed they included billing statements that included name, the amount paid and identified the individual as a patient of Cannon Family Health, and for certain patients, documents that included patients’ names, addresses, contact information, and clinical information such as diagnoses, treatments, test results or medications. The bad actor has been detained by law enforcement and is now facing prosecution. Hopscotch said it is implementing policies and procedures to improve the protection of physical records.
Athenahealth
The electronic health record and revenue cycle management vendor athenahealth has recently notified 1,974 individuals about the exposure of some of their protected health information. Athenahealth submits and receives patient insurance eligibility queries and insurance provider responses on behalf of its healthcare provider clients. On September 16, 2024, an insurance provider notified athenahealth that eligibility transaction files were visible in a publicly accessible Internet repository. The files were removed from the repository and the investigation determined that a manual error was made configuring the repository, which allowed the files to be accessed on or after April 3, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The information contained in the exposed files varied from individual to individual and may have included an individual’s name along with one or more of the following: address, date of birth, gender, insurance member ID, clinical information (healthcare provider’s name, health insurance provider, information regarding clinical care and payment responsibilities for that care such as co-pay amounts). Social Security numbers and financial account information were not involved.
Athenahealth is implementing additional safeguards, workflows, and processes to prevent similar incidents in the future. The affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.
Mid-Minnesota Management Services (Central Resources)
Mid-Minnesota Management Services, doing business as Central Resources, a provider of debt collection services, experienced a security incident that exposed the data of 1,232 individuals. The incident occurred through one of its vendors. The vendor used a subcontractor, who accidentally sent a file containing protected health information via a text message on September 12, 2024.
The error was rapidly identified and the campaign was stopped, and each recipient of the text message was contacted by text and asked to delete the message and shared file. The file contained the individual’s name, cell number, and identified them as an individual with an outstanding medical debt with its client. Central Resources is no longer working with its downstream vendor and is evaluating the security processes of its suppliers to ensure they have implemented reasonable and appropriate safeguards to protect any protected health information they have access to.
