Bon Secours Health System, based in Marriottsville, Md., is informing some 655,000 individuals that files containing patient information inadvertently had been left accessible by one of the health system’s vendors, R-C Healthcare Management.
While attempting to adjust their computer network settings during a multi-day period in April, R-C Healthcare inadvertently made files located within their computer network accessible via the internet. When Bon Secours discovered this issue on June 14, it notified R-C Healthcare of this issue so that the information could no longer be accessed via the internet, officials of the health system said in a notice to patients.
The notice read, “Our investigation determined that the files that were available via the internet may have contained patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, social security numbers, and in some instances, bank account information. Medical records were not made available via the internet and medical care has not and will not be affected.”
According to a report in the Richmond Times-Dispatch, a Bon Secours Richmond Health System spokeswoman said, “We do know that of the 655,000, fewer than 600 individuals had information that included a lab or diagnostic test name and none had diagnosis information.” The report added that R-C Healthcare Management, which helps hospitals generate revenue by optimizing existing data reporting, according to its website, is no longer a vendor of Bon Secours.
The health system, with facilities in in six states along the East Coast, said there is no knowledge that the information contained within the files has been misused in any way. “However, as a precaution, we began mailing letters to affected patients on August 12, 2016, and established a dedicated call center to answer patients’ questions,” Bon Secours said.
The month of August has already seen a few major data breaches reported in the industry. Phoenix-based Banner Health, one of the largest healthcare systems in the U.S., announced early in the month that it would be notifying approximately 3.7 million individuals about a breach in which cyber attackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations. And on August 5, Albany, New York-based Newkirk Products, a BlueCross BlueShield business associate that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing approximately 3.3 million plan members’ personal information.