Breach after patient data pops up online

HIPAA data breach compromises Social Security numbers, PHI and insurance data

A debt collection agency that contracted with University of Chicago Physicians Group is notifying nearly 1,400 patients that their protected health information, insurance data and Social Security numbers have been compromised after being accessible to viewers on the Internet. 

ICS Collection Service Inc. on July 9 received a report that a website user could view sensitive information relating to other debtors while on its website. Information accessible to viewers included patient names; addresses; Social Security numbers; dates of birth; responsible party names and addresses; insurance payment and dates; insurance companies and policy numbers; procedures, diagnoses and in-depth descriptions; dates of service; and treating physician names relating to certain UCPG patients.

[See also: Behemoth breach sounds alarm for 4M.]

"When ICS received this report, we commenced an internal investigation. We also contacted our third-party website and software vendors, corrected the security setting and disabled access to the page on our website utilized by debtors to make payments and other account adjustments," a company notice read. 

ICS had previously contracted with UCPG for collection and address verification services. While the contract had been terminated before the breach occurred, ICS had retained data on 1,344 patient claims that were active at the time the contract was terminated.

With the HIPAA Omnibus Final Rule, subcontractors and business associates of HIPAA-covered entities are equally responsible for privacy and security breaches of protected health information. 

Although only 16 out of some 80,000 privacy and security breach cases reported to the Office for Civil Rights since 2003 have resulted in hefty fines, OCR Director Leon Rodriguez said fines and enforcements for breaches have increased this year and will likely continue to do so. "I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable," he said in an August interview with Healthcare IT News

OCR has collected more than $18 million from HIPAA violations and settlements. 

Just this August, the agency announced a $1.2 million settlement with the New York-based Affinity Health Plan after the company failed to erase the protected health information of more than 344,000 patients that was contained in leased photocopiers.