HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hospital HIPAA Breaches Go Haywire: 40 CEs Notified of MML Breach

The actions of one employee at billing Business Associate Medical Management LLC has resulted in a HIPAA data breach that has affected 40 different healthcare providers in New York, New Jersey, Pennsylvania and Illinois, with more breach reports and notifications expected to be released in the next few days.

The latest hospitals to issue breach notifications come from Bergen County in North Jersey. Three hospitals have been notified by Medical Management that their patients have been affected, with approximately 4,500 victims reported across the three hospitals.

Medical Management is sending breach notification letters to all affected individuals and has set up a template which it is using to notify all 40 of its clients of the data breach.

As reported on Friday last week, the data breach was caused by a former employee of Medical Management LLC who accessed the billing database, copied protected information and provided that information to a third party. Law enforcement officers became aware of the data breach and notified Medical Management on March 16, 2015.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

An investigation was conducted and the call center employee in question was interviewed and disciplined, which involved the termination of the employee’s work contract. There is also an ongoing criminal investigation into the matter, and should the employee be found guilty, it is likely that the data theft will result in a considerable fine and potentially up to 10 years in prison.

The information exposed in the data breach includes patient names, dates of birth and Social Security numbers. Medical Management is offering all victims of the breach a year of credit monitoring services without charge to mitigate any damage caused.

The List of MML Hospital HIPAA Breach Victims Grows

The data breach is understood to have affected all 40 of MML’s client list, with 16 hospitals so far having announced they have been notified that some of their patients have been affected by the data breach.

Hospitals Confirmed Affected by the Medical Management Data Breach


  • Valley Hospital: Ridgewood, New Jersey
  • Englewood Hospital and Medical Center, New Jersey
  • Emergency Physicians of Englewood, New Jersey
  • Holy Name Medical Center: Teaneck, New Jersey
  • White Plains Hospital Center, New York
  • Phelps Memorial Hospital Center, New York
  • Emergency Physicians, New York
  • Park Slope Emergency Physician Services, PC, New York
  • The Brooklyn Hospital Center Emergency Medicine, PC, New York
  • University of Pittsburgh Medical Center, Pennsylvania
  • Conemaugh Memorial Medical Center
  • Conemaugh Meyersdale Medical Center
  • Conemaugh Miners Medical Center
  • Emergency Physicians of Pittsburgh, Ltd.
  • Allegheny Health Network’s Pittsburgh Jefferson Hospital
  • Tri-County Emergency Physicians, LLC, Illinois

Many Breach Victims are yet to Discover their Data has been Exposed

The total number of victims from the MML data breach has not yet been released – (05.27.15: OCR Breach Report now states 20,512 were exposed), although Conemaugh Health System has confirmed that 1,551 patients have been affected at three of the healthcare provider’s hospitals, UPMC reported 2,259 patients have been affected as have 1,100 patients who had received treatment at White Plains hospital. The three Bergen County hospitals – Ridgewood Valley Hospital, Englewood Hospital and Medical Center, and Holy Name Medical Center in Teaneck – each have had approximately 1,500 patients affected.

This brings the reported number of breach victims to over 9,400, with that figure expected to increase substantially over the next few days.

Flurry of Data Breaches Reported to OCR

The start of May was a relatively period for healthcare data breaches. At the end of April, there were a flurry of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. In the last week of April, 9 data breach reports were received which affected a total of 165,189 victims. Seton Family of Hospitals suffered a 39,000-record breach, Saint Agnes Health Care, Inc. had 24,967 records compromised, and the Jacobi Medical Center reported a breach of 90,060 records.

During the first two weeks of May, Partners HealthCare System, Inc. announced a 3,300 record breach, Ventura County Health Care Agency reported 1,339 individuals had their data compromised and Walgreens was hit again, this time with a breach involving 1,339 individuals. A relatively quiet period given the volume of data breaches reported so far this year.

However, the relative calm now appears to be over with the announcement of the MML breach and CareFirst Blue Cross Blue Shield’s discovery that one of its databases was infiltrated by a hacker resulting in the exposure of 1.1 million patient records.

Post Updated: May 26, 2015.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.