– Concord, Massachusetts-based Emerson Hospital is notifying 6,300 patients that their data was potentially breached nearly one year ago, due to insider wrongdoing at one of its vendors.
According to a statement released on March 8, the data breach occurred during a weeklong period from May 9 to May 17, 2018. A former employee of Emerson’s claims processing vendor, Miramed Revenue Group, sent a file containing patient health data to an unauthorized individual.
An investigation into the incident determined the file included data from about 6,300 patients, which included patient names, Social Security numbers, addresses, and insurance policy details. This type of data is commonly used for identity theft.
Officials stressed the file did not contain any medical treatment or conditions, nor any financial data like credit card details. The hospital spokesperson added: “A detailed forensic investigation showed that the files were of such poor quality that a third-party did not find the data useful.”
The security incident was reported to law enforcement, and the employee who improperly disclosed the information is no longer with the vendor. As a precaution, all impacted patients have been offered two years of identity theft protection services.
The breach notification is nearly identical to the recent Rush University Medical Center disclosure from the same vendor security incident, although the notice didn’t name the vendor. The Miramed breach impacted 45,000 Rush Medical patients. It’s yet to be seen if more healthcare providers were affected by the incident.
Third-party vendor breaches continue to plague the healthcare sector, with Rush and Emerson just the latest to be impacted. In fact, last year’s largest breach of 2.65 million Atrium Health patient records was caused by a hack on billing vendor, AccuDoc Solutions.
Managed Health Services, Health Alliance Plan, and Blue Cross Blue Shield of Michigan are among some of the most recent providers impacted by a third-party vendor breach. Data inventory and management policies are two of the best ways to begin shoring up the risk posed by healthcare’s trove of business associates and vendors.