Bon Secours Health System Announces 655,000 PHI Incident

This week, Maryland-based Bon Secours Health System has announced that the protected health information of some of its patients has been accessible over the Internet for a period of almost two months. The security incident ranks as one of the biggest potential data breaches of 2016, involving the records of more than 655,000 patients.

The incident was caused by the actions of one of its business associates: R-C Healthcare. R-C Healthcare, a reimbursement optimization firm, inadvertently changed network security settings on its servers when performing maintenance between April 18 and April 21. The change meant the data stored on the server could be accessed via the internet by unauthorized individuals.

The exposed data includes patient names, health insurer names and patient ID numbers, Social Security numbers, and some clinical information. Some patients may have also had their bank information exposed, although no medical records were compromised. Not all Bon Secours patients have been impacted by the incident. The majority of exposed data related to patients residing in Virginia.

Bon Secours discovered the error on June 14, 2016 and immediately launched an internal investigation to determine which patients had been affected and the types of data exposed. R-C Healthcare was immediately notified of the error and security settings were rapidly restored. Bon Secours has now completed its investigation and has confirmed that patient data can no longer be accessed.

Breach notification letters were mailed to patients on August 12, 2016. Patients were informed that their data had been exposed, although Bon Secours did not say whether the data had actually been accessed by unauthorized individuals. Since the possibility cannot be ruled out, and to protect patients from potential harm or loss, all affected individuals have been offered 12 months’ credit monitoring and identity theft protection services without charge.

Bon Secours has reinforced standards with its vendors to prevent future breaches of this nature from occurring.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of