A breach at a third-party vendor has resulted in 6,314 patients records from Emerson Hospital in Concord, MA being exposed.
The breach occurred between May 9 and May 17, 2018. The breach was attributed to an unauthorised disclosure incident involving one of the third-party vendors contracted by Emerson Hospital. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, sent files containing protected health information to a third-party without authorisation to do so.
Allowing unauthorised individuals to access patient information is a violation of the Health Insurance Portability and Accountability Act. Only those with legitimate reasons to do so should be able to access sensitive patient information. Third-parties may also access patient data if they have explicit consent from the patient.
The files contained information such as names, addresses, Social Security numbers, and insurance policy information. Criminals utilise this information to commit identity fraud, often with devastating effects for the victims. The former employee, who was employed at the facility while the emails were sent, did not access financial or health information in the emails.
MiraMed fired the employee once it discovered the breach. They also reported the incident to law enforcement. It is possible that the former employee may face criminal charges over the theft of the information. MiraMed quickly informed Emerson Hospital that its patient data was compromised.
A spokesperson for the hospital issued a statement saying, “A detailed forensic investigation showed that the files were of such poor quality that a third-party did not find the data useful.”
Emerson Hospital sent breach notification letters to all affected patients outlining the incident. The hospital has not discovered any evidence to suggest that patient information has been used for nefarious purposes. However, as a precaution, they have offered all affected patients free identity theft protection services through Experian IdentityWorks for 24 months.
MiraMed has not publicly disclosed whether the breach affected other healthcare organisations.