HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

White Plains and Conemaugh MMC Hospitals Announce HIPAA Breaches

White Plains Hospital, N.Y. and Conemaugh Memorial Medical Center, Pa. have issued breach notices confirming they have been affected by the data breach caused by an employee of Business Associate (BA), Medical Management.

Earlier this week we reported Medical Management LLC suffered a data breach after an employee copied protected data from the company’s billing system and disclosed that information to a third party. Medical Management is a billing vendor providing a range of billing and coding services to a number of healthcare providers, many of which are in New York. The data exposed included names, dates of birth and Social Security numbers.

The University of Pittsburgh Medical Center (UPMC) was the first healthcare provider to announce that some of its patients had been affected by the data breach. Two more hospitals have now issued breach notices to the media and have sent notifications to affected patients..

White Plains Hospital Notifies 1,100 of Data Breach

White Plains Hospital in New York announced it was affected by the data breach caused by the BA and learned that approximately 1,100 of its patients had been affected.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

White Plains responded and issued breach notification letters to its patients advising them that their data may have been compromised. Not every patient has been affected, only those who visited the emergency department for treatment between February 2013 and March 2015.

White Plains Vice President of Community Relations and Marketing, Dawn French, announced the breach and said patients affected would be provided with free credit monitoring and identity theft services with “a global leader in risk mitigation and response solutions,” Kroll Inc.

Patients were advised to take the matter seriously and sign up for the services being offered, in addition to contacting credit bureaus to obtain a free credit report, place a fraud alert, and even go as far as to put a freeze on credit. Patients were also told to check Explanation of Benefits statements and to question and report any suspicious activity.

Conemaugh Health System’s Memorial Medical Center Reports Breach

The west central Pennsylvania 4-hospital system announced yesterday that a number of its patients were affected by the Medical Management data breach. Conemaugh Health System’s Memorial Medical Center issued a press release confirming that some patients had been affected, and that they have been notified and offered identity theft protection for a period of one year without charge.

The hospital confirmed patients from the Conemaugh Memorial Medical Center, Meyersdale Medical Center and Miners Medical Center had been affected, although the number of victims was not disclosed in the initial press release.

The hospital was recently acquired by the Conemaugh Health System; however on March 15, under the name Duke LifePoint Conemaugh Memorial Medical Center, a breach report was submitted to OCR stating that 1,551 patients had been affected by a data breach categorized as “theft” involving a “desktop computer.” No further description was submitted along with the initial breach report – the OCR permits information to be added when it becomes available – but the report does say that no Business Associate was involved in the data breach, suggesting that this may be a separate data breach.

The Medical Management data theft is being investigated by law enforcement officers. The employee could face criminal charges for stealing the data, and if convicted of taking the information for personal gain, the offense can result in up to 10 years in prison and a substantial fine.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.