HOUSTON — Memorial Hermann is notifying its patients of a data breach by one of its business associates.
The hospital system said in December 2020, Med-Data, Incorporated experienced a privacy incident that may have impacted the protected health information of individuals provided to Med-Data to assist with processing. They said some data related to Med-Data’s business had been uploaded to a public-facing website.
Med-Data provides revenue cycle services to health care providers and their patients, including solutions for Medicaid eligibility, third-party liability, workers’ compensation and patient billing.
An internal investigation revealed a former employee saved files to personal folders created on the website sometime during or before September 2019. The files were removed on Dec. 17, 2020.
A review found the files contained individuals’ names, in combination with one or more of the following: physical address, date of birth, Social Security number, diagnosis, condition, claim information, date of service, subscriber ID (subscriber IDs may be Social Security numbers), medical procedure codes, provider name and health insurance policy number.
Med-Data notified those affected on Wednesday via a letter, which included information about the incident and provided credit monitoring and identity theft protection services. Med-Data said it has since added more security controls, blocked all file sharing websites, updated internal data policies and procedures, implemented a security operations center and deployed a managed detection and response solution.
Med-Data also informed law enforcement.
Individuals may call 1-833-903-3647 from 9 a.m. to 9 p.m. ET Monday to Friday to learn if they were impacted by this incident. It is unclear how many people were affected by the breach.