Subcontractor Error Triggers Breach

Financial Information Exposed Online
Subcontractor Error Triggers Breach
A health and financial information breach that may have affected as many as 10,000 patients at a Kansas hospital illustrates yet again that the actions of a business associate's subcontractor can have a major potential impact on patient privacy.

Lawrence Memorial Hospital is notifying patients about a breach in which their financial information was exposed on a website for about a month. The hospital uses online bill pay services from Mid Continent Credit Services Inc., also known as Blue Sky Credit. The breach was caused by "failed security measures" by BrickWire LLC, a subcontractor to the bill pay service, during a system update on a website it hosted on behalf of Mid Continent, a hospital spokesman says.

From Sept. 20 through Oct. 28, the website enabled public access to patient information that included, names, phone numbers, e-mail addresses, health care provider, payment amount and date of payment. Also accessible was either credit information or checking accounting information. That included credit account number, verification number, and expiration date, or checking account number, bank routing number and bank information.

Credit Monitoring Offered

Although the hospital reports it does not know whether any of the information was improperly accessed, Mid Continent is offering one year's worth of free credit monitoring to those who could be affected. As a precaution, the hospital said, it is notifying "all individuals who have made online payments and patients for whom online payments were made since this service began in 2005."

"We are continuing to follow up with Mid Continent Credit Services regarding the event, and we are currently in the process of arranging for a new online payment system," the hospital said in its statement. "We will take any other measures determined to be necessary to prevent a similar even from occurring in the future."

In another recent website breach incident involving a subcontractor, Stanford Hospital & Clinics reported that a business associate's subcontractor caused a health information breach when information about 20,000 patients treated in the hospital's emergency department was posted on a website.

Under pending modifications to the Health Insurance Portability and Accountability Act, business associates, as well as their subcontractors, must comply with HIPAA's privacy and security rules. An omnibus package of regulations that includes final versions of the HIPAA modifications, as well as the HIPAA breach notification rule, is expected in the coming weeks.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network