HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Privacy Incident Reported by Meritus Medical Center

The Meritus Medical Center (MMC) in Hagerstown, Maryland has started issuing breach notification letters to 1, 029 patients after a “privacy incident” was discovered in which patient names and other Personally Identifiable Information (PII) were exposed along with healthcare information and Social Security numbers, according to a report in the Herald Mail.

Dates of birth, patient gender and medical record numbers were potentially viewed along with healthcare data such as medical test results. Not all individuals had their Social Security numbers compromised, as this data was only stored on a limited number of individuals. MMC has confirmed that no financial information was exposed in the data breach.

Breach Notification Letters Sent


HIPAA-Covered Entities often delay the issuing of breach notices to patients to enable a full breach investigation to be conducted, which can take some time to complete. This proved to be the case with Meritus Medical Center; although according to a statement released by a MMC spokesperson, Mary Rizk, the breach notice letters were sent “as soon as possible”.

The investigation into the data breach was commenced “as soon as the incident was discovered by our security/privacy audit.” The investigation did show that patient information was accessed by a member of staff of the Business Associate, although it does not appear that any of that information was used inappropriately, so the risk of identity theft or fraud is perceived to be low.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Because the estimated level of risk to patients is relatively low, no credit monitoring services have been offered; although patients have been advised that they should check their Explanation of Benefits statements for any sign of fraudulent activity, Credit reports should also be obtained from Equifax, Experian and TransUnion and checked on an annual basis. By law, a free credit report can be obtained once every 12 months from each of the three credit bureaus by American citizens.

Data Breach Caused by an Employee of a Business Associate


The data breach was identified following a routine audit of the medical center’s Business Associates (BA) on May 4, 2015. The audit revealed that one of the company’s BAs – a “trusted vendor” – had accessed patient information which was deemed to fall outside of the BAs work duties. Between July 2014 and April 2015 the data of 1,029 patients appears to have been accessed and what MMC refers to as “limited information” was potentially viewed by an employee.

As soon as the breach was discovered MMC terminated the access rights of the employee to prevent any further information from being compromised. The BA has assured MMC that the employee responsible has been disciplined for the incident. It is not known whether the individual in question is still working for the BA.

To reduce the risk of future data breaches caused by BAs, “[MMC] will continue to work toward further strengthening controls related to vendor access to patient information and enhancing our monitoring capabilities with regard to vendor access.”

OCR to Scrutinize HIPAA-Compliance in Second Round of HIPAA Audits


The Department of Health and Human Services’ Office for Civil Rights (OCR) has been closely monitoring Business Associates for HIPAA violations, since BAs were brought under HIPAA Rules following the introduction of the Omnibus Rule. BAs found not to have implemented the necessary standards to ensure healthcare data is protected can be fined directly by the OCR. The penalties can be viewed here.

The second round of HIPAA compliance audits are expected to take place later this year, and BAs will be assessed for compliance with HIPAA Rules. Any BA that has not reached the minimum standards for data security is likely to receive a penalty for non-compliance.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.