- A California-based Medicare health plan is notifying approximately 14,000 patients that some of their information may have been compromised in a potential vendor data breach.
Brand New Day became aware on December 28, 2016 that a contracting provider accessed certain patient data via a third party vendor system, according to a copy of the notification letter posted on California’s Office of Attorney General website.
The unauthorized access occurred on December 22, 2016, explained the letter, which was signed by Brand New Day Compliance Officer Connie Snyder. The accessed data included names, dates of birth, Medicare ID numbers, addresses, and phone numbers. However, driver’s license numbers or California identification card numbers were not involved.
The OCR data breach reporting tool states that 14,005 individuals may have had their information accessed.
“We contacted the third party vendor the same day we became aware of the breach and advised the vendor that someone without appropriate permission was able to access your information,” Snyder said in the letter. “The vendor eliminated the error in their system within hours, thus ensuring this cannot happen again.”
The health plan added that there was a notification delay because of the law enforcement investigation.
Since the incident, Brand New Day said that its existing policies and procedures were reviewed. Additionally, a self-audit of the health plan procedures was conducted “to identify any error that could result in this error occurring again.”
“We changed our practices regarding access requiring monthly verification of each user,” the letter explained. “All of our employees will be contacted to remind them of the priorities of protecting health information and reporting any potential breaches immediately to the Compliance Officer.”
Brand New Day is also offering potentially affected individuals one year of complimentary identity theft and mitigation services.
“We take very seriously our role of safeguarding your personal information and using it in an appropriate manner,” Snyder wrote. “We apologize for this situation and are taking appropriate measures to prevent a reoccurrence.”
Vendor data breaches can be especially devastating to healthcare organizations, especially as numerous entities could be affected from one incident.
Last year, EHR vendor Bizmatics was tied to several potential healthcare data breaches after hackers gained access to its servers.
For example, Bizmatics notified North Ottowa Medical Group that servers containing patient information were accessed by an unauthorized user. Bizmatics could not confirm if North Ottowa Medical Group’s patient files were involved in the incident, but OCR reported that 22,000 individuals were affected by the incident.
Bizmatics hired a forensic firm to investigate, North Ottowa Medical Group explained in a statement.
“These investigations found that there was no reason to believe patient files were the target of the attack,” the press release stated. “Further, investigators could not conclusively determine if there was, in fact, a PHI breach at all.”