HIPAA Business Associate Notifies Patients of Data Breach

EqualizeRCM Services, an Austin, TX-based vendor of billing services, is in the process of sending breach notification letters to patients to alert them to the potential exposure of their Protected Health Information after an employee’s laptop computer was stolen.

At this stage it is unclear how many individuals have been impacted as the security breach has not yet been added to the Department of Health and Human Services’ Office for Civil Rights breach portal.

Patients of the following healthcare facilities have been impacted by the data breach:

  • Central Dallas Surgery Center
  • Hermann Drive Surgical Hospital
  • Kirby Surgical Center
  • Microsurgery Institute (Houston, Dallas)
  • Northstar Healthcare Surgery Center (Scottsdale, Houston, Dallas)
  • Plano Surgical Hospital
  • Southwest Freeway Surgery Center
  • Victory Medical Center Houston

The laptop computer contained a number of unencrypted documents which could potentially be accessed by unauthorized individuals. The documents did not contain any Social Security numbers or financial account numbers, although personally identifiable information and health insurance information were exposed. Consequently, patients do face an elevated risk of suffering identity theft or fraud as a result of the security incident.

EqualizeRCM has taken the decision to offer all affected individuals a year of credit monitoring services and identity theft remediation services without charge.

The data exposed as a result of the laptop theft include names, addresses, contact telephone numbers, genders, dates of birth, billing and medical diagnosis codes, medical record numbers, health insurance provider names, health insurance policy numbers, internal reference numbers, dates of service, type of services received, healthcare provider information, facilities where treatment was provided, and other administrative information.

It is not clear exactly when the laptop computer was stolen, although EqualizeRCM was informed of the theft on February 29, 2016.

The theft and exposure of patient health information has prompted EqualizeRCM to review its policies and procedures and implement further safeguards to prevent patient health data from being exposed in the future. Employees will also receive further training on policies covering the correct handling of protected health information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.