San Antonio-based University Health began notifying 2,704 patients that its billing services vendor, Med-Data, fell victim to a data breach.
University Health said in an April 5 news release that Med-Data provides revenue cycle and patient billing services for the Texas health system.
Med-Data said a former employee saved PHI files to personal folders they published on a public website while the employee worked at Med-Data.
Nine things to know about the breach:
- On Dec. 10, 2020, an independent journalist told Med-Data that some of its data had been uploaded to a public website.
- On Dec. 14, the journalist provided Med-Data a link to the data, and Med-Data launched an internal investigation to verify the journalist's claim.
- The investigation determined a former employee saved files to personal folders they created on the website between December 2018 and September 2019, while they were employed with Med-Data.
- The files were removed from the public website on Dec. 17, 2020.
- Med-Data hired cybersecurity experts and on Feb. 5 and the experts provided a list of affected individuals whose protected health information was exposed. On Feb. 8, covered entities whose patient data was affected were notified.
- On March 31, letters were mailed to affected individuals and required regulatory agencies.
- Breached data may include patients' Social Security numbers, addresses, birthdates and more.
- Med-Data is offering affected individuals credit monitoring and identity theft protection through IDX.
- To prevent similar events from happening in the future, Med-Data implemented additional security controls, blocked all file-sharing websites, updated internal data policies, implemented a security operations center, and deployed a managed detection and response solution center to provide continuous monitoring of its network.