270,000 patient records breached in Med Associates hack
A hack on Albany-based Med Associates may have breached the patient records of more than 270,000 patients. The healthcare billing claims vendor began notifying patients on June 14, and local New York-based publication Times Union was able to obtain the exact number of impacted patients.
Med Associates provides claims services for about 70 healthcare providers.
Officials discovered the breach on March 22 when an employee workstation began displaying unusual activity. An investigation by a Med Associates third-party forensics team determined a hacker accessed the workstation and may have accessed patient data.
Med Associates is continuing to investigate the incident. But officials determined the affected data contained demographic information, addresses, dates of service, medical data and insurance identification numbers. This type of information can be used by hackers for medical fraud.
Officials said the workstation did not contain financial information. However, Med Associates President Catherine Alvey told the Times Union that some Social Security numbers were included in the data. All impacted patients are being offered a year of free credit monitoring.
Under HIPAA, organizations must report breaches within 60 days of discovery, even with an investigation underway. The notice did not clarify the reason for the delayed report. Med Associates did not respond to a request for comment.
One of Illinois’ largest providers, Presence Health, was the first to settle with the Department of Health and Human Services Office of Civil Rights in January 2017 for failing to report a breach in a timely manner. It cost Presence Health $475,000.