- About nine months after a Valparaiso, Ind. Fire Department ambulance data breach occurred, the Valparaiso billing company responsible for the breach, Advanced Data Processing (ADP), has sent out breach notification letters. Valparaiso said in its notification letter that it learned of the ADP breach from the IRS on July 16, 2013.
This is just the latest news related to ADP’s October 2012 breach in which patient data was used to file false income tax returns. HealthITSecurity.com had previously covered the impact on the Yuma Fire Department and Grady Health Systems. ADP’s November 2012 breach affected Valparaiso 860 patients who used ambulance service in early 2012, according to posttrib.suntimes.com. While the compromised data included Social Security numbers, record identifier and birthdates, apparently no patients have come forward with identity or credit fraud issues.
City Attorney Ethan Lowe told the Sun Times that those who could be affected used Valparaiso’s ambulance service between Jan. 1 and June 21 in 2012, and Valparaiso is mailing out notification letters by Wednesday and put a notice on its website. “They potentially could be (affected), and that’s why we’re going through the steps we are,” Lowe said.
The IRS and FBI are involved and contacted Valparaiso about the incident. Lisa Jardim of ADPI said Ieshia Jordan, a former ADP billing specialist, pleaded guilty on Feb. 14 to conspiracy and wrongful disclosure of health information and attempted tax fraud with the information. The IRS automatically processes income returns less than $10,000. “It wasn’t until recently that ADPI was informed by the Internal Revenue Service that certain patient records connected with Valparaiso Fire Department may have been improperly accessed,” Jardim said.
Here is a portion of the notification letter that PHIPrivacy.net was able to find:
By way of background, this past Fall the Company was notified by law enforcement in Tampa, Florida (on October 1, 2012) that a now-former employee of the Company illegally accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Based on the information available to the Company after a thorough internal and external forensic review, it appears that only patients who had ambulance transports during the period January 1 through June 21, 2012 would be potentially affected. When the Company first learned of this incident the Company had no reason to believe that any account information of the Ambulance Agency had been accessed. The employee was apprehended by authorities, immediately terminated by the Company, pleaded guilty to charges brought against her, and isnow awaiting sentencing.
Based on the additional information that was recently provided to the Company by the IRS, however, the Company and the Ambulance Agency have learned that account information of some patients of the Ambulance Agency may have been among the information that was accessed by the former employee. Although it is not known whether any of such information was actually misused, because this cannot be ruled out, this notice is being provided out of an abundance of caution.
To help minimize the risk of future data breaches, the Company is making its employees aware of this incident and the consequences to the individual involved and has also reminded its employees of the importance of maintaining the security and confidentiality of individual records.
ADPI had notified The Department of Health and Human Services (HHS) on Nov. 28 that there were 27 agencies in 17 affected states involved in the breach: Arizona, California, Florida, Georgia, Kansas, Kentucky, Massachusetts, Maryland, Missouri, North Carolina, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, Tennessee and Texas.