The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breach at New York Medical Billing Service Provider Affects 284K Individuals

Posted By on Apr 5, 2024

M&D Capital Premier Billing in Queens, NY, has announced a breach of the protected health information of 284,326 individuals. Data breaches have also been reported by Tri-City Healthcare District and Dental Health Services in California, and Ethos (Southwest Boston Senior Services) in Massachusetts.

M&D Capital Premier Billing

M&D Capital Premier Billing, a Queens, NY-based billing service provider, has notified 284,326 individuals about a cybersecurity incident identified on July 8, 2023. Suspicious activity was detected within its network and third-party cybersecurity specialists were engaged to investigate the nature and scope of the unauthorized activity. The forensic investigation confirmed that an unauthorized third party gained access to its network on June 20, 2023, and maintained access until July 8, 2023.

During those three weeks, protected health information provided by its covered entity clients may have been viewed or acquired. That information may have included names, addresses, dates of birth, Social Security numbers, financial information, medical billing information, insurance information, and medical information such as diagnoses, medication, and treatments. M&D Capital Premier Billing said it has reviewed its existing policies and procedures and has implemented additional administrative and technical safeguards to help prevent future attacks. The affected individuals have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost.

Ethos (Southwest Boston Senior Services)

Ethos, aka Southwest Boston Senior Services, has recently announced a cybersecurity incident that occurred on November 18, 2023, that exposed the protected health information of 14,503 individuals. On March 13, 2024, it was confirmed that protected health information had potentially been accessed or acquired in the incident. For most of the affected individuals, the exposed data included names, addresses, medical insurance information, and health and treatment information. A small group of affected individuals also had their Social Security numbers exposed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Contact information has now been verified, which will allow individual notifications to be mailed to the affected individuals. Ethos did not state in its website notification whether credit monitoring and identity theft protection services are being offered. The notification letters will explain the steps that affected individuals can take to monitor and protect their information.

Tri-City Healthcare District

Tri-City Healthcare District in California has notified 7,847 individuals about the exposure of some of the protected health information. On November 9, 2023, unusual activity was detected in its systems, which disrupted access to those systems. The forensic investigation confirmed that an unauthorized third party gained access to its network on November 8, 2023, and may have viewed or exfiltrated files containing patient data.

The review of the affected files was completed on or around March 7, 2024, and confirmed that names and Social Security numbers had been exposed. Notification letters were sent to the affected individuals on April 4, 2024, and complimentary identity theft protection services have been offered. Tri-City Healthcare District said it has implemented additional security measures to further harden security and prevent similar incidents in the future.

Dental Health Services

Dental Health Services, a Californian provider of dental health plans to individuals in California, Oregon, and Washington, has notified certain plan members about an impermissible disclosure of some of their protected health information. On or around February 7, 2024, an error resulted in monthly invoices mistakenly being emailed to certain employer group customers that contained plan member data. While the invoices were encrypted and password protected, before the error was identified, the email recipients were sent the encryption password in a separate email, which allowed the invoices to be viewed.

The invoices contained the impacted members’ names, dates of birth, member identification numbers, eligibility dates, plan types, and premium amounts due. Dental Health Services has received assurances from all recipients of the emails that the incorrectly disclosed invoices have been deleted. Due to the nature of the disclosed information, Dental Health Services does not believe the data will be misused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist