Med-Data, Incorporated (“Med-Data”) recently experienced a privacy incident that may have impacted the protected health information (“PHI”) of individuals whose information was provided to Med-Data to assist with processing. Med-Data provides revenue cycle services to health care providers and their patients, including solutions for Medicaid eligibility, third-party liability, workers’ compensation, and patient billing. Med-Data provided one or more of these services to its impacted customers, including Memorial Hermann Health System (“Covered Entity”).
On December 10, 2020, an independent journalist informed Med-Data that some data related to its business had been uploaded to a public-facing website (“the Website”). On December 14, 2020, the journalist provided a link to the data, and Med-Data immediately launched an internal investigation to validate the journalist’s claim and discovered that a former employee had saved files to personal folders they created on the Website sometime during or before September 2019. The files were promptly removed on December 17, 2020. Med-Data is working with the journalist and any other third-parties to confirm all data they may have downloaded or printed has been deleted, physically destroyed, and not shared with anyone else.
Med-Data hired cybersecurity specialists to assist in the review of the files to determine what information may have been included. Further review confirmed that the files may have contained PHI for patients whose information may have been processed by Med-Data. The cybersecurity specialists conducted an in-depth review of the files to identify PHI and extract contact information of potentially affected individuals. On February 5, 2021, the cybersecurity specialists provided a list of individuals whose PHI was impacted by the incident. A review of the impacted files revealed that they contained individuals’ names, in combination with one or more of the following data elements: physical address, date of birth, Social Security number, diagnosis, condition, claim information, date of service, subscriber ID (subscriber IDs may be Social Security numbers), medical procedure codes, provider name, and health insurance policy number.
Med-Data notified the Covered Entity on February 8, 2021.
Med-Data mailed a notice letter to impacted individuals on March 31, 2021, which included information about the incident and provides credit monitoring and identity theft protection services through IDX. Med-Data has also taken steps to minimize the risk of a similar event happening in the future. Med-Data implemented additional security controls, blocked all file sharing websites, updated internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution. Med-Data also informed law enforcement.
Individuals may call 1-833-903-3647 Monday through Friday from 9 am - 9 pm Eastern Time to obtain more information or to learn if they were impacted by this incident. Individuals can also contact the Federal Trade Commission at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261 or visit www.ftc.gov/idtheft/ for more information on protecting their identity.