Share this article on:
The Meritus Medical Center (MMC) in Hagerstown, Maryland has started issuing breach notification letters to 1, 029 patients after a “privacy incident” was discovered in which patient names and other Personally Identifiable Information (PII) were exposed along with healthcare information and Social Security numbers, according to a report in the Herald Mail.
Dates of birth, patient gender and medical record numbers were potentially viewed along with healthcare data such as medical test results. Not all individuals had their Social Security numbers compromised, as this data was only stored on a limited number of individuals. MMC has confirmed that no financial information was exposed in the data breach.
Breach Notification Letters Sent
HIPAA-Covered Entities often delay the issuing of breach notices to patients to enable a full breach investigation to be conducted, which can take some time to complete. This proved to be the case with Meritus Medical Center; although according to a statement released by a MMC spokesperson, Mary Rizk, the breach notice letters were sent “as soon as possible”.
The investigation into the data breach was commenced “as soon as the incident was discovered by our security/privacy audit.” The investigation did show that patient information was accessed by a member of staff of the Business Associate, although it does not appear that any of that information was used inappropriately, so the risk of identity theft or fraud is perceived to be low.
Because the estimated level of risk to patients is relatively low, no credit monitoring services have been offered; although patients have been advised that they should check their Explanation of Benefits statements for any sign of fraudulent activity, Credit reports should also be obtained from Equifax, Experian and TransUnion and checked on an annual basis. By law, a free credit report can be obtained once every 12 months from each of the three credit bureaus by American citizens.
Data Breach Caused by an Employee of a Business Associate
The data breach was identified following a routine audit of the medical center’s Business Associates (BA) on May 4, 2015. The audit revealed that one of the company’s BAs – a “trusted vendor” – had accessed patient information which was deemed to fall outside of the BAs work duties. Between July 2014 and April 2015 the data of 1,029 patients appears to have been accessed and what MMC refers to as “limited information” was potentially viewed by an employee.
As soon as the breach was discovered MMC terminated the access rights of the employee to prevent any further information from being compromised. The BA has assured MMC that the employee responsible has been disciplined for the incident. It is not known whether the individual in question is still working for the BA.
To reduce the risk of future data breaches caused by BAs, “[MMC] will continue to work toward further strengthening controls related to vendor access to patient information and enhancing our monitoring capabilities with regard to vendor access.”
OCR to Scrutinize HIPAA-Compliance in Second Round of HIPAA Audits
The Department of Health and Human Services’ Office for Civil Rights (OCR) has been closely monitoring Business Associates for HIPAA violations, since BAs were brought under HIPAA Rules following the introduction of the Omnibus Rule. BAs found not to have implemented the necessary standards to ensure healthcare data is protected can be fined directly by the OCR. The penalties can be viewed here.
The second round of HIPAA compliance audits are expected to take place later this year, and BAs will be assessed for compliance with HIPAA Rules. Any BA that has not reached the minimum standards for data security is likely to receive a penalty for non-compliance.