A federal agency is investigating a breach of confidential information from 160,000 patients at certain Med Center Health facilities.
Irregularities were discovered during a January internal investigation, and the information was then given to law enforcement officials, who discovered the apparent breaches happened August 2014 and February 2015, according to a news release from Med Center Health.
“When Med Center Health reported this incident to law enforcement, they asked that Med Center Health delay notification to patients or public announcement of the incident until now so as not to interfere with their investigation,” the release said. “Now that law enforcement’s request for delay has ended, Med Center Health is notifying patients as quickly as possible. We are actively working alongside law enforcement throughout their continued investigation into the matter.”
Med Center Health Vice President Doris Thomas responded via email to several questions from the Daily News, including providing the number of patients impacted.
David Habich, chief counsel for FBI in Louisville, confirmed it was his agency investigating the matter, which was ongoing.
What is being said is that Med Center Health determined a former employee obtained certain billing information by creating the appearance that he or she needed the information to carry out their job duties. The patient information was on an encrypted CD and encrypted USB drive and included names, addresses, Social Security numbers, health insurance information, codes for diagnoses and procedures and charges for medical services.
Patient medical records were not included in the inappropriately obtained information, so medical histories and treatments have not “and will not be affected by this incident,” according to the release.
“Med Center Health is committed to protecting the security and confidentiality of our patients’ information. We apologize to our patients who have been impacted by this misuse of information,” Med Center Health CEO Connie D. Smith said in a news release. “It is important for our patients to know that we are not aware of any evidence indicating that the billing records were being used to cause harm. We have been working alongside law enforcement on their continued investigation and greatly appreciate their involvement in this matter.”
Information was taken for certain patients who were treated at The Medical Center at Bowling Green, The Medical Center at Scottsville, The Medical Center at Franklin, Commonwealth Regional Specialty Hospital, Cal Turner Rehab and Specialty Care and Medical Center EMS between 2011 and 2014.
In response to any concerns that might arise due to a delay in informing patients, Med Center Health said:
"Med Center Health, informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation," the email said. "Indeed, our internal investigation is on-going and information is actively being developed and provided to law enforcement.
"Nonetheless, once we believed we had gathered adequate information to support that an HIPAA related incident occurred, we followed the appropriate processes. We have no current information indicating the patient information was used for fraud. Our goal throughout this process is to be open and transparent and share information as quickly as possible, while at the same time not hindering law enforcement."
Affected patients will be notified in writing within two weeks with an offer of free credit monitoring and identity protection services for one year. In addition, notification letters will be sent to the insurance subscribers and patients’ guarantors whose information might also have been contained in the records.
Med Center Health has established a call center to help answer patient questions. The call center is toll free at 844-420-6490 and is open from 8 a.m. to 8 p.m. Monday through Friday.