NOTICE OF DATA PRIVACY INCIDENT
Med-Data, Incorporated (“Med-Data”) recently experienced a privacy incident that may have impacted the protected health information (“PHI”) of individuals whose information was provided to Med-Data to assist with processing. Med-Data provides revenue cycle services to hospitals, healthcare systems and their patients, including solutions for Medicaid eligibility, third-party liability, workers’ compensation, and patient billing. All affected healthcare providers were notified of the incident.
On December 10, 2020, an independent journalist informed Med-Data that some data related to its business had been uploaded to a public website (“the Website”). On December 14, 2020, the journalist provided a link to the data, and Med-Data immediately launched an internal investigation to validate the journalist’s claim and discovered that a former employee had saved files to personal folders they created on the Website sometime between December 2018 and September 2019 while employed with Med-Data. The files were promptly removed on December 17, 2020.
Med-Data hired cybersecurity specialists to assist in the review of the files to determine what information may have been included. Further review confirmed that the files may have contained PHI for patients whose information may have processed by Med-Data. The cybersecurity specialists conducted an in-depth review of the files to identify PHI and extract contact information of potentially affected individuals. On February 5, 2021, the cybersecurity specialist provided a list of impacted individuals whose PHI was impacted by the incident. Impacted covered entities whose patient’s data was affected were notified on February 8, 2021. Letters were mailed to impacted individuals and applicable regulatory agencies on March 31, 2021.
What information was involved?
From our investigation, it appears that impacted information may have included individuals’ names, in combination with one or more of the following data elements: physical address, date of birth, Social Security number, diagnosis, condition, claim information, date of service, subscriber ID (subscriber IDs may be Social Security numbers), medical procedure codes, provider name, and health insurance policy number.
What is Med-Data doing?
Med-Data is offering impacted individuals credit monitoring and identity protection services through IDX at no cost. Med-Data has also taken steps to minimize the risk of a similar event from happening in the future. Med-Data implemented additional security controls, blocked all file sharing websites, updated internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution that provides 24×7 monitoring of our network, endpoints, and workstations.
For more information:
To determine whether your information was impacted or for more information about this incident, please call 1-833-903-3647 Monday through Friday from 9 am – 9 pm Eastern Time. Individuals can also contact the Federal Trade Commission at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261 or visit www.ftc.gov/idtheft/ for more information on protecting their identity.