PHI Exposed by Vendor’s Security Lapse

Data breach

Cogent Healthcare announced last week that a third-party vendor’s security lapse left patients’ Protected Health Information (PHI) exposed on the Internet.  While no financial or Social Security Number information was included, Cogent is offering a year-long subscription to identity theft protection and credit monitoring services to the 32,000 affected patients.

Medical transcriptions vendor M2ComSys, based in Las Vegas, was contracted by Cogent to transcribe dictated notes.  The PHI, which included patients’ names, dates of birth, diagnosis and treatment information, medical history, and physicians’ names, was stored on a Web site which was supposed to be secure, but which actually had no working firewall.  The data therefore could have been accessed by the public between May 5th and June 24th of this year.  Additionally, some of that data was indexed by giant search engine Google, as it was publicly available.  Patients affected by the HIPAA violation, Cogent’s second, were seen in various of Cogent’s physician groups in Arizona, California, Florida, Georgia, Iowa, Illinois, Kentucky, Massachusetts, Mississippi, Montana, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Washington, and Wisconsin.

Cogent Healthcare has ended its relationship with M2ComSys in response to the security lapse.  It is also following up with Google to ensure that all protected data is removed from its indices.  A statement from the hospitalist company said, “Cogent Healthcare takes information security and patient privacy very seriously.  We apologize for any difficulties this incident may cause any of our patients or hospital partners.  We recognize it is our responsibility to give patients the information they need to take precautions to protect themselves, and we are actively doing so.”

The omnibus HIPAA regulations (or “Final Rule”) which go into effect on September 23rd, 2013 will apply both the Security Rule and the Privacy Rule to “Business Associates” as well as the currently-included covered entities like healthcare practices, hospitals, and insurance carriers.  A business associate is generally defined as “a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity.”  Under the Final Rule, business associates like vendors of Electronic Medical Records software (such as Medisoft Clinical or McKesson Practice Choice) and services are directly liable for HIPAA rule compliance and enforcement if they work with any of this protected data.  Civil and criminal penalties can be imposed on companies like M2ComSys under the new enforcement beginning next month.  Now more than ever, it is crucial to develop a plan and put policies and procedures into place to maintain the integrity and security of any patient data being handled.