Cogent Healthcare announced late last week that M2ComSys, the organization’s transcription contractor, had exposed 32,000 patients’ data across 48 states. M2ComSys, according to the Tennessean, left physician notes available to the public from May 5 to June 24 because it didn’t activate a firewall.
The physician notes included information such as physician’s name, patients’ date of birth, diagnosis descriptions, summaries of treatments provided, medical histories and medical record numbers. Cogent said that patients’ medical records and Social Security numbers were not revealed.* As a result of the breach, Cogent said that it’s ending its relationship with M2ComSys and has collaborated with Google to ensure there are no remnants of exposed data.
*Editor’s note: An earlier version of this story indicated that Cogent Healthcare is operated by Genesis Health Systems. Genesis has no ownership in Cogent, a vendor that provides and administrates the former’s hospitalist program at Genesis and approximately 40 other hospitals and health systems across the country.
“People have the right to expect that their personal health information is protected,” says Ken Croken, Vice President, Corporate Communications & Business Development, Genesis Health System. “And sadly, in this instance, it was not.”
Cogent will provide affected patients with complimentary one-year membership in Experian’s ProtectMyID Alert, which includes identity theft protection, a credit report and monitoring. As PHIPrivacy.net reported, the patient notification letter from LeToia Crozier, Cogent’s Senior Vice President and Compliance Officer, was robust and extremely detailed with steps patients need to take to protect their data.
We have taken a number of steps to protect against future incidents. We have ended our relationship with M2 and taken physical possession of the hardware held by M2 that stored our PHI. We have confirmed with Google that it has removed all evidence of PHI from their files. We have initiated a security review of other Cogent Healthcare, Inc. vendors who have access to PHI to confirm their security procedures.
Cogent Healthcare, Inc. takes information security and your privacy very seriously. We deeply regret this situation and any inconvenience this may cause you. Even though the information did not contain Social Security numbers, we encourage you to take precautions to protect the security of your personal information. For example, you should remain vigilant by reviewing account statements and monitoring free credit reports.
This was a particularly strong reaction to the breach for Cogent. Because it immediately recognized that since M2ComSys was a downstream data holder (it wasn’t said whether it was a business associate or subcontractor), it had the responsibility to respond to the breach and alert patients with resolution options in a timely manner.