The Gloucester, MA Fire Department Ambulance Service experienced a HIPAA security breach when one of its billing company’s employees improperly accessed and disclosed patient account information. The employee was involved in a scheme to file false federal tax return.
The Gloucester Fire Department Ambulance Service posted a substitute data breach notice on the Gloucester government website. The substitute data breach notice replaced the need to send notices to individuals.
Let’s take a look at the elements of the Breach notification. The text below that is in bold is the actual text of the breach notification. The text that is in quotes represents key points from the HHS Breach Notification Guidance and RFI (74 FR 19006)
The Act specifies the following
methods of notice in section 13402(e):
• Written notice to the individual (or
next of kin if the individual is deceased)
at the last known address of the
individual (or next of kin) by first-class
mail (or by electronic mail if specified
by the individual).
• In the case in which there is
insufficient or out-of-date contact
information, substitute notice,
including, in the case of 10 or more
individuals for which there is
insufficient contact information,
conspicuous posting (for a period
determined by the Secretary) on the
home page of the Web site of the
covered entity or notice in major print
or broadcast media.
This notice is provided by the Gloucester Fire Department Ambulance Service concerning a data beach incident affecting records of a number of Ambulance patients. Advanced Data Processing, Inc./Intermedix (the “Company”) manages billing for the Gloucester Fire Department Ambulance Service, and on October 1, 2012, the Company learned that one of its employees improperly accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Accessed account information included name, date of birth, Social Security number and record identifier, but no medical information was accessed.
Section 13402(f) of the Act requires
the notification of a breach to include
(1) a brief description of what
happened, including the date of the
breach and the date of the discovery of
the breach, if known; (2) a description
of the types of unsecured PHI that were
involved in the breach (such as full
name, Social Security number, date of
birth, home address, account number, or
The employee was apprehended by authorities, immediately terminated by the Company and no longer has access to Company systems. The Company also thoroughly investigated the matter. To help minimize the risk of future data breaches, the Company is making its employees aware of this incident and the consequences to the individual involved and reminding its employees of the importance of maintaining the security and confidentiality of individual records.
(4) a brief description of what
the covered entity involved is doing to investigate
the breach, to mitigate losses, and to protect
against any further breaches;
If you have reason to believe that your information is being misused, you should contact local law enforcement and file a police report. If you believe a tax return has been illegally filed using your information you should contact your local IRS Service Center or call the IRS at 1-800-908-4490. We advise you to remain vigilant and monitor your credit reports periodically. The Fair Credit Reporting Act requires each of the nationwide consumer reporting companies to provide you with a free copy of your credit report, at your request, once every 12 months. To order, visit www.annualcreditreport.com or call 1-877-322-8228. You may also choose to enroll in a free credit monitoring service.
(3) the steps individuals should take to
protect themselves from potential harm resulting from
You may call representatives of the Company at 1-877-264-9622 Monday through Friday, 9 a.m. to 9 p.m. Eastern, if you have any questions regarding this matter.
(5) contact procedures for individuals to
ask questions or learn additional
information, which shall include a toll-
free telephone number, an e-mail
address, Web site, or postal address.
Make sure your HIPAA Incident Response Plan includes a breach notification template and that you understand what is required for breach reporting.