Data breach at a medical billing company potentially exposed the PHI of 18,000 patients
Healthcare Administrative Partners (HAP), a medical billing company in Pennsylvania that provides billing, coding, and practice management services to hospital-affiliated physician practices, recently notified 17,693 patients of a data breach that may have exposed their protected health information (PHI).
HAP became aware of suspicious activity associated with an employee email account in late June and subsequently changed all of their employees’ passwords, according to a Notice of Data Breach published by HAP. The company then hired independent computer forensic experts to assist with an investigation into the breach. The forensic investigation confirmed that an unauthorized individual accessed one of HAP’s corporate email accounts, potentially exposing the following PHI:
- Addresses
- Dates of birth
- Medical diagnoses
- Medical record numbers
- Patient names
- Physician names
- Prescriptions
- Treatment information
There is no there is no evidence that any PHI was viewed or misused by the unauthorized individual. In light of the incident, HAP has taken the following steps to prevent future data breaches:
- Implemented mailbox size restrictions and archiving requirements
- Labelled external emails
- Reset all passwords
HAP is also in the process of evaluating options for multi-factor authentication and retraining employees on recognizing suspicious emails.