Share this article on:
UMass Memorial Medical Group (UMMMG) has reported a HIPAA Breach that it first discovered over 9 months previously on April 9, 2014. UMMMG issued a notice on its website on January 30, 2015 explaining the incident and the delay in issuing a notification letters to individuals affected by the security breach. The incident potentially affected up to 14,000 of the healthcare provider’s patients according to a report on MassLive.
The letter announces the HIPAA breach and explains that a former employee of UMMMG accessed the billing records of a number of patients over a period of four months from January 7, 2014 to May 7, 2014.
It is not clear at this stage whether any information has actually been used to commit identity or medial fraud, but the notice has been provided while the investigation into the incident continues. Law enforcement was alerted and later in August advised UMMMG that printed billing documents of some of its patients had been found in possession of an unauthorized individual.
The data believed to have been accessed, viewed and copied include names, addresses, email addresses, phone numbers, guarantor’s names, dates of birth, medical record numbers, Social Security numbers and in some cases, credit card and debit card numbers.
Under advisement of law enforcement officers, the issuing of notices to the affected individuals was delayed to allow its officers time to investigate the crime. The notice explains that UMMMG received the all clear from law enforcement on January 28, 2015 and was given permission to start issuing breach notification letters to the affected patients.
Issuing of Breach Notification Letters under HIPAA
The Health Insurance Portability and Accountability Act of 1996 – subsequently amended by the Breach Notification Rule – requires covered entities to notify individuals whose Protected Health Information (PHI) is exposed and could be viewed by unauthorized individuals. Breach notification letters must be sent within 60 days of the discovery of a breach and the Department of Health and Human Services’ Office for Civil Rights (OCR) must also be informed.
This is a maximum time limit and covered entities are obliged to send notification letters without unnecessary delay. However, oftentimes HIPAA regulations are in conflict with the requirements of law enforcement officers. It may sometimes be necessary to delay the sending of letters and issuing public announcements. Under these circumstances organizations are permitted to delay the issuing of notification letters without violating HIPAA rules.
The letters are now in the process of being sent and should arrive at the latest by February 21, 2015; over 10 months after the breach was discovered and more than a year after the first incident of inappropriate access is believed to have occurred.
Any person receiving a breach notification letter should contact the three main credit monitoring agencies – Experian, Equifax and TransUnion – and obtain a free credit report. Medicare/Medicaid and other benefits statements should be obtained and checked for signs of fraudulent activity.