The FBI has been investigating a large Med Center Health data breach that affects many affiliates and approximately 160,000 patients.
Hackers are not believed to be responsible for the Med Center Health data breach, in fact it is thought that the data was stolen by an ex-employee. It is understood that the thief took a large variety of personal data such as the names, home addresses, insurance information, procedure codes, billing details and Social Security numbers of patients. Medical records were not among the information that was stolen.
People affected by the theft had formerly been treated at the Med Centre Health’s medical centers in Franklin, Bowling Green, and Scottsville or the Commonwealth Regional Specialty Hospital, Cal Turner Rehab or Medical Center EMS and Specialty Care.
Although the Med Center Health data breach was announced recently, it actually occurred some time ago. Data stolen by the rogue employee concerns patients who were treated during 2011-2014. There was also a delay between the announcement about the breach being made and the patients involved being notified.
The ‘Daily News’ have indicated that breach notification letters are in the process of being sent to patients directly affected by the Med Center Health data breach, however given the large number of individuals concerned, this process could take several weeks.
Despite the belief that sensitive data was stolen, to date Med Center Health has not received any reports which would indicate that the information has been used for any form of malicious purpose.
The investigation is continuing and information is still being actively sought and forwarded to authorities. The Federal Bureau of Investigations is not the sole federal agency involved in investigating the Med Center Health breach.
An obvious question that has been asked by numerous parties is, given that HIPAA Rules insist that covered entities announce any data breaches and inform affected patients within 60 days of a data breach being discovered, why that process did not commence for several months.
A spokesperson for Med Center Health said that the company had informed patients as quickly as was possible. He also stressed that the information which had led Med Center Health to report the breach pursuant to HIPAA had in fact developed over a period of time during a detailed internal investigation.
Undoubtedly, the Department of Health and Human Services’ Office for Civil Rights will take interest in this delay. If the length of the delay in notifying patients is deemed inappropriate, financial penalties may be imposed on the company or organisation concerned. In early 2017, Presense Health was ordered to pay a fine of $475,000 following a delay of just over a month in the issuing of breach notifications.