Emerson Hospital located in Concord, MA, is notifying 6,300 patients about the exposure of some of their protected health information (PHI) because of a security breach that occurred in May 2018 at a third-party vendor.
The hospital stated that the unauthorized disclosure incident took place from May 9 to May 17, 2018. An ex-employee of MiraMed Global Services, a claims processing vendor of the hospital, was found to have sent files that contain PHI to a third-party vendor who wasn’t authorized to get the data.
The files comprised the following types of information, which are often sought by identity thieves: names, Social Security numbers, addresses and insurance policy details. The files did not contain any financial information or health data.
The employee at fault was terminated because of the breach. Though the incident was already reported to law enforcement, it is not clear if the employee responsible for the breach was charged for the incident.
A forensic investigation of the breach affirmed the theft of ePHI. However, the hospital’s spokesperson gave a statement that the forensic investigation showed the files to be of such poor quality that they are not useful to a third-party.
Even if there seem to be no report of data misuse, as a precautionary measure, Emerson Hospital offered all affected patients free identity theft protection services via Experian IdentityWorks for two years.
Emerson Hospital is the second healthcare organization that reported a breach incident. Rush System for Health likewise reported to OCR an identical breach case on February 28, 2019. Although names, Social Security numbers, dates of birth, and insurance details were also exposed, Rush stated that patients have a low potential for fraud considering that no financial information was exposed. About 45,000 patients were impacted.
It is unknown if any other healthcare company was impacted by the breach at MiraMed.