University Health PHI exposed after vendor employee downloads data, posts on public website

San Antonio-based University Health began notifying 2,704 patients that its billing services vendor, Med-Data, fell victim to a data breach.

University Health said in an April 5 news release that Med-Data provides revenue cycle and patient billing services for the Texas health system.

Med-Data said a former employee saved PHI files to personal folders they published on a public website while the employee worked at Med-Data.

Nine things to know about the breach:

  1. On Dec. 10, 2020, an independent journalist told Med-Data that some of its data had been uploaded to a public website.

  2. On Dec. 14, the journalist provided Med-Data a link to the data, and Med-Data launched an internal investigation to verify the journalist's claim.

  3. The investigation determined a former employee saved files to personal folders they created on the website between December 2018 and September 2019, while they were employed with Med-Data.

  4. The files were removed from the public website on Dec. 17, 2020.

  5. Med-Data hired cybersecurity experts and on Feb. 5 and the experts provided a list of affected individuals whose protected health information was exposed. On Feb. 8, covered entities whose patient data was affected were notified.

  6. On March 31, letters were mailed to affected individuals and required regulatory agencies.

  7. Breached data may include patients' Social Security numbers, addresses, birthdates and more.

  8. Med-Data is offering affected individuals credit monitoring and identity theft protection through IDX.

  9. To prevent similar events from happening in the future, Med-Data implemented additional security controls, blocked all file-sharing websites, updated internal data policies, implemented a security operations center, and deployed a managed detection and response solution center to provide continuous monitoring of its network.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars