The Federal Bureau of Investigation is investigating a major Med Center Health data breach that impacts many affiliates and around 160,000 patients.
The Med Center Health data breach was not the result of hackers, instead data is believed to have been stolen by a former employee. The employee is understood to have taken a wide range of sensitive data including patients’ names, addresses, insurance details, procedure codes, billing information and Social Security numbers. Medical records do not appear to have been taken.
Individuals affected by the incident had previously received medical services at the organization’s medical centers in Bowling Green, Franklin and Scottsville or the Commonwealth Regional Specialty Hospital, Cal Turner Rehab or Specialty Care and Medical Center EMS.
The Med Center Health data breach may have only just been announced, but it is not recent. Information stolen by the employee relates to patients who received treatment between 2011 and 2014. It has also taken some time for an announcement about the breach to be made and for patients to be notified.
According to the daily News, breach notification letters are now being sent to patients impacted by the Med Center Health data breach, although due to the number of individuals affected, the notification process may take a couple of weeks.
While data is understood to have been taken, Med Center Health has not received any reports to suggest that the information was used for malicious purposes such as fraud.
The breach investigation is ongoing and information is still being actively developed and passed to law enforcement. The FBI is not the only federal agency investigating the breach.
One question that is being asked is why, when HIPAA Rules require covered entities to announce data breaches and notify patients within 60 days of the discovery of a data breach, that process was delayed for a number of months.
A company spokesman said, “Med Center Health informed patients as expeditiously as possible.” It was also pointed out that “information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”
That is something the Department of Health and Human Services’ Office for Civil Rights will be interested in. If there has been an unnecessary delay in notifying patients, financial penalties may be appropriate. Earlier this year, Presense Health was fined $475,000 for delaying breach notifications by just over a month.