Federal agency could investigate online security breach of LMH patient records
- on November 16, 2011
Lawrence Memorial Hospital officials anticipate there will be a federal investigation into a security breach that potentially compromised the financial information of more than 8,000 of its patients.
That investigation could result in a $25,000 fine from the U.S. Office of Civil Rights, which is the regulatory agency that oversees patient privacy and confidentiality, hospital leaders said Wednesday.
This week, LMH mailed thousands of letters alerting patients who had used the hospital’s online bill pay service that their contact and financial information could have been accessed online. Since 2005, LMH had contracted with the Wichita-based Mid Continent Credit Services to provide online billing.
In late October, LMH discovered that 28 patient records containing names, contact information, health care provider and medical payments were published online. Also available were credit card and checking account information.
So far, two patients have contacted the hospital about charges to their accounts they consider suspicious. If those charges are a result of the security breach is hard to say, LMH compliance management director Susan Thomas said.
“We can’t tell them for sure if this incident is directly responsible for that,” Thomas said and noted the only way to know is if the account was used only for the hospital’s online billing service.
Meanwhile, the hospital has been advising patients to take steps that would make them feel more comfortable — whether it be putting a lock on the account or obtaining a new bank card. For those concerned about the security risk, Mid Continent Credit Services has agreed to pay for a free one-year credit monitoring subscription.
The hospital was alerted to the security breach on Oct. 28 after a patient did a Google search of her husband’s name and found his financial information on a website by Brick Wire LLC, a Tulsa company that hosted the online bill pay service on behalf of Mid Continent Credit Services.
From what the hospital can deduce, Brick Wire did a system upgrade on Sept. 20 and left a portal open that contained payment records from 28 LMH patients. That information was accessed by Google, which then cached the page and kept the information public. LMH officials also believe from that portal there was a way to access a database that contained information on every patient who had used the online bill pay system since it was first offered in 2005.
“Literally, it was like leaving the door to the house open,” Thomas said.
At a LMH board meeting Wednesday morning, the hospital’s general counsel Andy Ramirez said the hospital did not own or maintain the computers that operated the online bill pay system. He also provided some clarification on what happened.
“No one was hacked,” Ramirez said. “This was a self inflicted wound by Brick Wire.”
After a “challenging phone conference” with Mid Continent Credit Services, Ramirez said, it was agreed that the hospital would be held harmless and that the event was “completely outside the control of the hospital.”
If the federal investigation does lead to a fine, Thomas said the vendors would most likely be responsible for paying it because patient privacy was part of the contract.
For now, the hospital has shut down its online bill pay service. It had already been in the process of switching vendors and is taking a closer look at that vendor’s security procedures. A new system should be in place in the next few weeks.
Those who have questions about the security breach can call LMH at 785-505-4945 or send an e-mail to firstname.lastname@example.org.