Subcontractor Error Triggers Breach
Financial Information Exposed OnlineLawrence Memorial Hospital is notifying patients about a breach in which their financial information was exposed on a website for about a month. The hospital uses online bill pay services from Mid Continent Credit Services Inc., also known as Blue Sky Credit. The breach was caused by "failed security measures" by BrickWire LLC, a subcontractor to the bill pay service, during a system update on a website it hosted on behalf of Mid Continent, a hospital spokesman says.
From Sept. 20 through Oct. 28, the website enabled public access to patient information that included, names, phone numbers, e-mail addresses, health care provider, payment amount and date of payment. Also accessible was either credit information or checking accounting information. That included credit account number, verification number, and expiration date, or checking account number, bank routing number and bank information.
Credit Monitoring Offered
Although the hospital reports it does not know whether any of the information was improperly accessed, Mid Continent is offering one year's worth of free credit monitoring to those who could be affected. As a precaution, the hospital said, it is notifying "all individuals who have made online payments and patients for whom online payments were made since this service began in 2005."
"We are continuing to follow up with Mid Continent Credit Services regarding the event, and we are currently in the process of arranging for a new online payment system," the hospital said in its statement. "We will take any other measures determined to be necessary to prevent a similar even from occurring in the future."
In another recent website breach incident involving a subcontractor, Stanford Hospital & Clinics reported that a business associate's subcontractor caused a health information breach when information about 20,000 patients treated in the hospital's emergency department was posted on a website.
Under pending modifications to the Health Insurance Portability and Accountability Act, business associates, as well as their subcontractors, must comply with HIPAA's privacy and security rules. An omnibus package of regulations that includes final versions of the HIPAA modifications, as well as the HIPAA breach notification rule, is expected in the coming weeks.