Federal agency could investigate online security breach of LMH patient records

Lawrence Memorial Hospital, 325 Maine.

Lawrence Memorial Hospital, 325 Maine.

Lawrence Memorial Hospital officials anticipate there will be a federal investigation into a security breach that potentially compromised the financial information of more than 8,000 of its patients.

That investigation could result in a $25,000 fine from the U.S. Office of Civil Rights, which is the regulatory agency that oversees patient privacy and confidentiality, hospital leaders said Wednesday.

This week, LMH mailed thousands of letters alerting patients who had used the hospital’s online bill pay service that their contact and financial information could have been accessed online. Since 2005, LMH had contracted with the Wichita-based Mid Continent Credit Services to provide online billing.

In late October, LMH discovered that 28 patient records containing names, contact information, health care provider and medical payments were published online. Also available were credit card and checking account information.

So far, two patients have contacted the hospital about charges to their accounts they consider suspicious. If those charges are a result of the security breach is hard to say, LMH compliance management director Susan Thomas said.

“We can’t tell them for sure if this incident is directly responsible for that,” Thomas said and noted the only way to know is if the account was used only for the hospital’s online billing service.

Meanwhile, the hospital has been advising patients to take steps that would make them feel more comfortable — whether it be putting a lock on the account or obtaining a new bank card. For those concerned about the security risk, Mid Continent Credit Services has agreed to pay for a free one-year credit monitoring subscription.

The hospital was alerted to the security breach on Oct. 28 after a patient did a Google search of her husband’s name and found his financial information on a website by Brick Wire LLC, a Tulsa company that hosted the online bill pay service on behalf of Mid Continent Credit Services.

From what the hospital can deduce, Brick Wire did a system upgrade on Sept. 20 and left a portal open that contained payment records from 28 LMH patients. That information was accessed by Google, which then cached the page and kept the information public. LMH officials also believe from that portal there was a way to access a database that contained information on every patient who had used the online bill pay system since it was first offered in 2005.

“Literally, it was like leaving the door to the house open,” Thomas said.

At a LMH board meeting Wednesday morning, the hospital’s general counsel Andy Ramirez said the hospital did not own or maintain the computers that operated the online bill pay system. He also provided some clarification on what happened.

“No one was hacked,” Ramirez said. “This was a self inflicted wound by Brick Wire.”

After a “challenging phone conference” with Mid Continent Credit Services, Ramirez said, it was agreed that the hospital would be held harmless and that the event was “completely outside the control of the hospital.”

If the federal investigation does lead to a fine, Thomas said the vendors would most likely be responsible for paying it because patient privacy was part of the contract.

For now, the hospital has shut down its online bill pay service. It had already been in the process of switching vendors and is taking a closer look at that vendor’s security procedures. A new system should be in place in the next few weeks.

Those who have questions about the security breach can call LMH at 785-505-4945 or send an e-mail to lmhcompliance@lmh.org.

Tagged: Lawrence Memorial Hospital, patient information, security breech


gatekeeper 6 years, 7 months ago

I got this letter yesterday. I have never used their online bill pay. It appears that if you used a credit card at all at the hospital, your information was taken. Should have gone to a hospital in KC.

Susan Thomas 6 years, 7 months ago

The letters were mailed to all persons who paid a bill via LMHBILLPAY.COM for services at Lawrence Memorial Hospital; individuals who registered for LMH Health Fairs; or adult patients who had online payments made for their account by another person via LMHBILLPAY.COM.
The mailing list came from the LMHBILLPAY.COM vendor, and this information was entered by the person making the payment. Accounts were NOT involved in this incident if the payment was made at the hospital by any source (check, credit card), mailed or phoned in, or made online by another means, i.e., payments through the individuals' online banking. Any questions regarding individuals involved, the type of payment, date of payment, etc. can be answered by calling 785/505-4945 or sending an email to LMHCompliance@lmh.org Susan Thomas, Director of Compliance Management, Lawrence Memorial Hospital

Janice Early 6 years, 7 months ago

To clarify Susan's comment, we have learned that for our patients' convenience, payments made by American Express were processed using the online bill pay service. So it is possible that an individual may have not personally used the online bill pay but could have received a letter. I urge anyone with questions to contact the hospital by calling 785. 505-4945 or emailing us at LMHCompliance@lmh.org to learn the specifics of the payment.

Personally, I received a letter yesterday and did not remember ever using the service. However when I called I was able to learn the date of my payment (it was in 2005), amount, which credit card I had used and the last four digits of that card number. -- Janice Early, Director of Community Relations, Lawrence Memorial Hospital

LadyJ 6 years, 7 months ago

I recieved a letter for my daughter whose bill I pay, but so far, none for me. Waiting to see if I get one too. Glad they can provide the exact information since we have several different bank accounts.

troll 6 years, 7 months ago

From going to http://brickwire.com/#Team and looking at the roles of their "team", they do not appear to have anyone who specializes in Information Security. Most likely one of their PHP or Drupal programmers were responsible for securing the financial and medical data of LMH's patients. Great job at hiring competent professional to take care of your customers, LMH!

ezbreezy 6 years, 7 months ago

Just like any website there is a small chance this will happen, I will continue to support LMH and understand that no system is perfect. I've had my account through my bank compromised and I know the feeling of anger and helplessness you can feel when others have your information, but LMH is a good company and will hopefully take care of the people this happened to and work on making sure it never happens again.

gatekeeper 6 years, 7 months ago

BUT..... someone like me that didn't use their online service still could have had my information hacked. I paid in person with my AMEX card. If I had known they'd have to process my AMEX card through an online service, I would have used a different card. Thanks LMH for being up front about how you process payments with AMEX. Again, should have driven to a competent hospital in KC. The only people I've ever heard that were happy with LMH were only there to pop out a kid.

gphawk89 6 years, 7 months ago

So is everyone REALLY sure that it's a good idea for physicians to switch to electronic charts for their patients?

Homey 6 years, 7 months ago

Let's not sully the hospital's reputation because they tried to protect their patient's credit. My experience and anecdotally those of my friends are opposite to you and yours. Several of my family members have been treated at LMH. The staff and nurses are outstanding. The service was superior to anything that we got at two KC hospitals. The oncology unit is second to none and saves lives; same for the cardiologists. LMH did nothing wrong here and everything right. LMH could have covered this up. Instead they did the responsible thing and alerted the public so that we could protect our credit. Our local hospital is taking a beating for the mistake made by a Wichita company. Why isn't Mid Continent or Brick Wire listed in the headline?

cabocrazed 6 years, 7 months ago

Actually, electronic medical records (EMRs) are better for all parties - patients, physicians, nurses, hospital staff, etc. But up until Obama's healthcare reform bill, EMRs were voluntary. With healthcare reform, they will be mandatory because the government wants the ability to log into a hospital or clinic's EMR system to look at patient records. Pure and simple.

LadyJ 6 years, 7 months ago

Still have not gotten my letter, wonder how many others didn't get their's and have no clue there is a problem?

Commenting has been disabled for this item.