Wisconsin’s Memorial Hospital of Lafayette County has posted notice on its website that it mailed out 8,000 data breach notification letters to patients after it learned on Aug. 6, 2013 that some of their financial statements had been inadvertently sent out to the wrong people by a third-party billing vendor.
Credit should be given to Memorial Hospital of Lafayette County in that it didn’t bury its breach notification letter, posted by PHIPrivacy.net here, on its website and instead it’s on the middle of its home page. The notice says that there was an erroneous setting in the vendor’s system and the system generated a number of “zero balance” or “aged account balance” statements relating to care provided at the hospital since 2001 and these bills were sometimes sent to wrong or outdated addresses.
The statements did not contain sensitive or detailed information. In fact, the only information relating to treatment at the hospital is the patient’s name and account number, date(s) of service, and the charges associated with each date of service. The statements also included the name, address and identification number for the guarantor on the account. Other personal information, such as Social Security number, date of birth, and specific health conditions, were not included in the disclosure.
Memorial Hospital went on to say that the vendor’s errors have been corrected and patients will receive an account statement only if there is a balance owed, or if the account was paid to zero since the last statement. “Memorial Hospital of Lafayette County places an extremely high priority on privacy and security of health information and regrets that this incident occurred,” the statement read.