Service Coordination Inc Reports 9.7K HIPAA Data Hack

A not-for-profit provider of healthcare services to the developmentally disabled has recently reported that it has been targeted by a hacker who was able to infiltrate its computer systems and steal the healthcare data of approximately 9,700 patients.

Frederick-based Service Coordination Inc., a provider of case management services to people with disabilities and other groups in Maryland, discovered the breach in late October of 2013, yet in an violation of the HIPAA Breach Notification Rule, it delayed the issuing of breach notification letters to affected individuals for a period of almost 5 months at the apparent request of the U.S. Justice Department. The Justice Department required time to allow time for an investigation into the hack to be conducted. Under HIPAA, covered entities are required to notify the victims of a data breach within 60 days of the discovery that their data has been compromised.

The delay in announcing the breach may have proved important in this instance, as the company claims to have identified the individual responsible and law enforcement officers have apparently seized the individuals’ personal property and bank accounts, although it is not clear if that equipment contained the stolen PHI.

A spokesperson for the Justice Department, Peter Carr, said that he was unable to comment on the incident as he did not want to jeopardize the investigation, according to an article in the Washington Times.

A spokesman for Service Coordination Inc., Michael Baisey, said that investigators had not discovered any evidence that the stolen information was used inappropriately, although he did confirm that one document obtained contained information on approximately 70% of the company’s 13,900 clients.

The state of Maryland’s Developmental Disabilities Administration has issued licenses to five organizations to provide ancillary healthcare services. The administration’s acting director, Patrick Dooley, issued a statement saying that under the terms of the license, Service Coordination is required to provide all affected individuals with free credit monitoring services and must assist the victims with ID theft protection. He said, “We want to make sure people get the help they need. We’ll be working with SCI to make sure people get the help they need.”

As part of an effort to mitigate any damage caused, MDF will provide all victims of the breach with a year of credit monitoring services without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.