ST. LOUIS — We hear about data breaches all the time, but it's more troublesome when it includes protected health information, also known as PHI to those in the medical industry. On top of having a social security number compromised, a thief could also learn and expose your diagnosis -- something that a hospital or its contractor should legally protect under HIPAA, the Health Insurance Portability and Accountability Act.
Note: The video above is about employers asking employees about vaccination status as it relates to HIPAA.
Maureen Brady, a Missouri attorney who handles personal injury cases with the law firm McShane and Brady, says she and partner Lucy McShane are representing clients in Missouri and Kansas who received notice of such a breach. These are people who received letters from a company called Med-Data informing them that their social security numbers, addresses, phone numbers, medical conditions, and diagnoses were also compromised.
Med-Data is a health care provider that houses and stores private medical information and as a third party for hospitals, runs billing and accounting for those providers. The class-action lawsuit was filed in Jackson County, Missouri, and served to a registered agent in St. Louis.
"We as citizens have to be very vigilant about our information already," said Brady. "But particularly with medical information because it is so valuable, and it can be used against the patient."
In a redacted copy of the disclosure letter sent from Med-Data, the company said a journalist informed the company in December 2020 that data had been uploaded to a website. Med-Data said it launched an internal investigation and discovered that a former employee had saved files to personal folders from December 2018 to September 2019 while employed with the company.
Brady and McShane estimate nearly 750,000 patients may have had their data compromised for nearly a year. They say they've seen cases where people have lost their jobs, homes, or even custody of their kids in extreme cases because of personal and protected health information disclosures. It's no surprise crooks have filed false medical insurance claims, fake tax returns, received loans or filed someone else's social security or Medicaid benefits.
It's a matter of mandated trust, says McShane.
"Even though it's a third party, it still has to keep your information protected," said McShane. "Your hospital can't pass that responsibility off under HIPAA. They fall under the hospital's purview."
Not only does it fall under HIPAA, but consumers pay for this privacy protection in the price point of their services.
Brady says Med-Data failed on a number of fronts, from the response time to the actions taken after realizing the breach. Brady says under HIPAA, the company is supposed to contact each patient, though she questions if everyone has been notified. She also says the company was supposed to give notification within 60 days of the breach, which also didn't happen as the letters were dated in late March. She says multiple lawsuits have been filed, including Texas and Washington state, and more are certainly coming.
"Our medical information goes to the very core of our own personal self," said Brady." "And that information is for us to disclose and how we want." Brady hopes more people will come forward and contact their office.
Med-Data said in its letter to patients that it is offering identity theft protection services through IDX, a data breach and recovery services expert. It also includes a year of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. The company encourages anyone who received a letter about the breach to call 1-833-903-3647 or go to https://response.idx.us/holdings.