CHI Franciscan Health Highline Medical Center has notified 18,399 patients that some of their protected health information has been exposed on the Internet as a result of an error made by a business associate.
The HIPAA business associate responsible for the breach was R-C Healthcare Management. An employee of the firm had made an error with the configuration of a firewall after maintenance work was conducted. The error was made on April 21, 2016, but was not discovered until June 13.
During the time that the security protection was removed, files containing Highline Medical Center patients’ personal information was freely accessible over the Internet. The exposed files contained data from 1993-1994 and from 2008 to 2013. The data was used by R-C Healthcare Management for cost reporting functions.
Upon discovery of the error, systems were secured to prevent any unauthorized accessing of the files and R-C Healthcare Management notified Highline Medical Center of the error. The medical center conducted an investigation to determine which individuals had been affected and what PHI had been exposed.
Patients affected by the breach have had their name, health insurance details, dates of service, and Social Security number exposed. No financial information was included in the files and medical histories were not accessible at any point.
Affected patients have been offered a year of credit monitoring services through Experian without charge. The service allows breach victims to protect themselves against identity theft and fraud, and will also assist them with recovering their identities and any losses in the event that their personal information is misused.
Highline Medical Center was not the only R-C Healthcare Management client to be affected by the incident. Bon Secours Health System also had PHI exposed as a result of the error. Last month the Maryland-based health system notified 651,971 patients of a breach of their PHI.