Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor

Emerson Hospital in Concord, MA, is alerting 6,314 patients that some of their protected health information has been exposed due to a security breach at a third-party vendor in May 2018.

The hospital explained that the breach occurred between May 9 and May 17, 2018 and was an unauthorized disclosure incident. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, was discovered to have sent files containing protected health information to a third-party who was not authorized to receive the information.

The files contained the types of information usually sought by identity thieves, including names, addresses, Social Security numbers, and insurance policy information. Financial information and health information were not compromised.

The employee responsible was fired over the breach and the matter was reported to law enforcement. It is unclear whether the employee responsible has been charged over the theft.

A forensic investigation confirmed that ePHI had been stolen, but a spokesperson for the hospital issued a statement saying, “A detailed forensic investigation showed that the files were of such poor quality that a third-party did not find the data useful.”

Even though the information does not appear to have been misused, as a precaution, all affected patients have been offered identity theft protection services through Experian IdentityWorks for 24 months without charge.

This is the second healthcare institution to report that it has been affected by the breach. Rush System for Health also reported a similar case to OCR on February 28, 2019. Even though names, Social Security numbers, birthdates, and insurance information was also compromised, Rush reported that patients faced a low-risk of fraud since no financial information was compromised. Approximately 45,000 of its patients were affected.

It is not known whether any other healthcare organizations have been affected by the MiraMed breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.