April 26, 2018
The information – which included patients’ complete names, treatment location, procedure code, treatment visit ID, admission date, visit date, visit status, gender, address, date of birth, medical provider details, and diagnosis codes – had been published to an openly accessible source. The PHI was found by a healthcare safety scientist who warned IRC regarding the data breach.
Swift action was taken to remove and protect the data and an inquiry was kicked off to decide how and why the data had been made available to an unsafe place. That review decided that a business partner who had been given the PHI had revealed the PHI to a third party. It was that subcontractor that made the blunder and uploaded the data to the public website.
When the breach occurred, IRC only thought the data had been accessed by the safety worker. Nevertheless, in its alternate breach notification, IRC commented that in the latter half of 2017 it became clear that other people might also have accessed data.
Patients who might have been affected have been offered free credit checking and identity restoration facilities for 12 months and advised about the occurrence ‘out of an abundance of caution.’ There have been no statements made to ICR to suggest any patient information has been abused, even though affected people have been helped to check their credit reports and EOB statements carefully and to remain cautious against occurrences of identity theft.
People who have been told of the revelation of their PHI within 60 days of the breach being identified as it might not have been thought that there was a substantial risk of monetary loss or harm, even though it is unclear why there was a sluggishness in issuing alerts when it was felt that other people might have accessed the data.