Bon Secours says data breach affects 655,000 patients
Reimbursement specialist R-C Healthcare Management, a business associate under HIPAA, left patient information accessible on the web for four days.
Personal information of more than 650,000 Bon Secours patients – including names, insurance identification numbers, banking information, social security numbers and some clinical data – was left exposed on the internet for four days this spring by a business associate of the hospital system.
R-C Healthcare Management, a reimbursement optimization firm, was adjusting its network settings between April 18 and April 21, and in doing so exposed data of Bon Secours patients in three states – 435,000 of them Virginia, and the rest in South Carolina and Kentucky – to be accessible online.
Bon Secours first discovered the vulnerability on June 14 and, in turn, notified R-C Healthcare.
"Upon receiving the notification, R-C Healthcare immediately took steps to secure the information so that it could no longer be accessed via the internet," according to a statement.
[Also: BlueCross BlueShield business associate breach puts data of 3.3 million at risk]
R-C Healthcare CEO K. Michael Webdale told Norfolk, Virginia-based WTKR that the company promptly hired an outside forensic investigator.
"The investigator confirmed the incident has been fully remediated. All R-C customers who might be affected have been notified of the situation and its resolution. "
Bon Secours also kicked off an internal investigation ands found that the files R-C made available via the internet may have exposed patient names, social security numbers, bank account information and limited clinical data.
[Also: 'Dark Overlords' suspected in Athens Orthopedic Clinic data breach]
"Medical records were not made available via the internet and medical care has not and will not be affected," the health system said.
Bon Secours officials said it took nearly two months to for an internal investigation to identify the patients who should be notified. The health system began mailing letters to those affected on August 12.
Twitter: @MikeMiliardHITN