Vendor oversight brings HIPAA breach to 32,000
The protected health information of some 32,000 patients across 48 states has been compromised after a health IT vendor's firewall was down for more than a month, allowing, in some cases, for patient data to be indexed by Google, officials announced Thursday.
Hospitalist and intensivist company Cogent Healthcare, based in Nashville, Tenn., contracted with Las Vegas-based medical transcription and software vendor M2ComSys to transcribe care notes dictated by physicians. M2 stored protected health information on what was supposed to be a secure Internet site. The site, in reality, had its firewall down. The access to these notes through the site began May 5, 2013, and ended following Cogent Healthcare’s discovery of the lapse on June 24, 2013.
Patient data compromised included patients names, physician names, dates of birth, diagnosis description, treatment data, medical history and medical records numbers.
In response to the HIPAA breach, Cogent Healthcare has terminated its relationship with M2ComSys and has taken physical possession of the hardware in use at M2. They are also in the process of confirming with Google that it has removed all evidence of PHI from its files, officials say.
"Our organization takes information security and patient privacy very seriously. We deeply regret this situation and any inconvenience this may cause our hospital partners and their patients," a Cogent Healthcare notice read.
"We're just one of a couple dozen hospitals that had patient information unsecured," said Craig Cooper, spokesperson for Davenport, Iowa-based Genesis Health Systems. Cooper said some 1,160 patients Genesis patients had their PHI compromised.
According to Cogent officials, 32,000 patients seen at many of the company's physician groups in Arizona, California, Florida, Georgia, Iowa, Illinois, Kentucky, Massachusetts, Mississippi, Montana, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Washington, Wisconsin were affected by the breach.
This is the second HIPAA breach for Cogent Healthcare, according to data from the Department of Health and Human Services.