Blogger Accesses PHI Stored by a Billing Service

December 9, 2016
News & Insights

An information security blogger stumbled across vulnerable protected health information (PHI) stored by a billing service. The billing service was contracted as a business associate of Best Health Physical Therapy, LLC, in Groton, Connecticut.

The blogger was searching for vulnerable data, according to Best Health’s statement, and was able to access the billing service’s computer system accounts. The blogger then notified the billing service of the vulnerability of the system and the data he or she was able to access.

The affected PHI included:

  • Addresses
  • Dates of birth
  • Driver’s license information
  • Health information
  • Insurance information
  • Names

The billing service closed the vulnerability and updated access controls were installed. The breach affected 1,100 individuals, according to OCR’s breach portal. The blogger stated he or she will not use any of the information accessed, and there is currently no evidence that PHI was misused or compromised. However, as a precaution Best Health is offering free credit monitoring services to affected individuals.

Best Health says that patients of the facility who have questions or concerns regarding this matter can call Sherry Lombardi at 860-326-5454.

Related Topics: 
Compliance, HIM/HIPAA, HIPAA