James D. Wolf Jr. of the Post-Tribune reported today that up to 860 patients who used the City of Valparaiso Fire Department ambulance service last year would be receiving breach notification letters from ADPI. You remember the ADPI breach, of course. I first reported on it November, 2012, when I also started compiling a list of all of ADPI’s clients that had been affected by the breach. And yet it seems that individuals whose data were compromised for at least one city/client are first finding out now. Why the delay if the employee was arrested last year and pleaded guilty? Why weren’t affected Valparaiso residents notified last year? After some digging, I finally located the city’s notice concerning the breach, and therein lies the explanation – of sorts: This notice is provided by the Valparaiso Fire Department (the “Ambulance Agency”) concerning a data breach incident affecting records of a number of Ambulance Agency patients. Advanced Data Processing, Inc. (the “Company”) manages billing for the Ambulance Agency and on July 16, 2013 the Company learned from the Internal Revenue Service that certain patient records connected with the Ambulance Agency may have been improperly accessed. Accessed account information included name, date of birth, Social Security number and record identifier, but no medical information was accessed. So ADPI never figured out all of the data that was accessed by the former employee, it seems, and only found out last month when the IRS contacted them. The fact that the IRS contacted them suggests to me that the data of at least some residents of Valparaiso was misused as part of the tax refund scheme although ADPI says it does not know whether any data was misused. The fire department’s notice continues: By way of background, this past Fall the Company was notified by law enforcement in Tampa, Florida (on October 1, 2012) that a now-former employee of the Company illegally accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Based on the information available to the Company after a thorough internal and external forensic review, it appears that only patients who had ambulance transports during the period January 1 through June 21, 2012 would be potentially affected. I think one can reasonably question any claim that there was a “thorough” forensic review if ADPI’s review did not reveal that up to 860 residents of Valparaiso may have had their data accessed. When the Company first learned of this incident the Company had no reason to believe that any account information of the Ambulance Agency had been accessed. Then that strikes me as a failure of their monitoring or auditing protocols. The employee was apprehended by authorities, immediately terminated by the Company, pleaded guilty to charges brought against her, and is now awaiting sentencing. Based on the additional information that was recently provided to the Company by the IRS, however, the Company and the Ambulance Agency have learned that account information of some patients of the Ambulance Agency may have been among the information that was accessed by the former employee. Although it is not known whether any of such information was actually misused, because this cannot be ruled out, this notice is being provided out of an abundance of caution. “Abundance of caution?” An abundance of caution would have been to notify every person who used a service that was a client of ADPI’s during the time period in question. Notifying people after there is already evidence of misuse of at least a portion of the data is not any kind of “abundance of caution.” Update: ADPI’s press release just showed up in my newsfeed. You can read it here.
In response to inquiries initiated by this blog after noting a discrepancy between Grady’s statement and ADPI’s statement concerning the timeframe of the breach, Grady has just issued the following correction: Billing contractor data breach includes Grady EMS patient information Some Grady EMS ambulance service patients are being notified that selected personal information may have been stolen by a former employee of Advanced Data Processing, Inc. (ADPI), the company that handles billing for Grady EMS. An ADPI investigation shows that one if its employees illegally accessed the company’s ambulance billing system and stole personal information of thousands of ambulance service patients nationwide, including Grady EMS patients. ADPI, working with law enforcement, identified the source of the information breach and immediately terminated that employee. The ADPI investigation found that the records of approximately 900 Grady EMS patients were illegally breached and that personal information was copied. The probe shows the data breach started June 15, 2012 and ended October 12, 2012 and law enforcement is currently working to determine if any of the Grady EMS patient information may have been used illegally. Grady Health System is committed to protecting the confidential information of our patients and is working closely with ADPI to prevent future breaches. To protect Grady patients, ADPI will provide all the individuals affected with a year of free credit monitoring to ensure that their personal information is not used improperly. The health system is also in touch with those patients and will assist them as needed with any consequences resulting from this unfortunate incident. For more information regarding the ADPI data breach, please contact Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, [email protected] The original media release, dated November 30, 2012, incorrectly stated that the data breach began January 15, 2012. This release has been updated to correct the start date of the breach which was June 15, 2012.
One of the things that happens with a blog like this one or DataBreaches.net is that an organization discovers that I’m covering their incident and starts checking my blogs to see what I’m writing. At the same time, I’m checking other sites to see what they’re saying. This week, I’m obviously focused on the ADPI breach as it appears to be a large breach that may have been mirrored in other HIPAA-covered entities around the state (or country). If ADPI wants to turn lemons into lemonade, they have an opportunity to help us all learn from this breach and harden our security against future incidents of this kind. But something I just read on ModernHealthcare.com gave me pause. In his coverage of the breach, Joseph Conn got a statement from Pam Dixon of the World Privacy Forum. I have tremendous respect for Pam and and the WPF, and I found her comment a bit puzzling: “The next thing we can say, the way this company has made breach notifications, is really poor business practice,” Dixon said. “This is disingenuous. If someone’s information has been sold to a crime ring, they need to get help and assistance almost immediately. Best practice dictates that people are told quickly and the entire truth is told.” What is it that ADPI could have done that Pam thinks they should have done or could have done but did not do? They say they discovered the breach on October 1 and mailed notification letters on November 29. They told people what kinds of information were involved, and if they knew for a fact that someone’s data was stolen and misused, their notification letter offered them free services through IDExperts. So what help and assistance wasn’t made immediately available? And what information was withheld that Pam thinks is important for the “entire truth” to be told? In my opinion, ADPI should have been more transparent with respect to the number of patients whose records were known to have been copied and misused (category 1), those whose data were copied but there’s no available evidence of misuse at this time (category 2), and those whose information might have been copied (category 3). It’s also difficult for members of public to know whether they should be concerned because there’s no disclosure of all of the ambulance services that were affected. Someone who moved and may not receive a notification letter would have no way of knowing if their data had been stolen and misused unless they call the number. That said, I understand from similar situations in the past that ADPI may feel it is not their place to disclose their clients’ names as the clients should be able to decide whether and when they want to publicly disclose that their patients were affected. Had ADPI simply listed all their affected clients, the clients might not have been prepared for calls from concerned patients, etc. But ADPI probably could have and should have included some statement in their disclosure and notifications as to whose information was at risk. Was it only patients who used an ambulance service/client’s service between January of 2012 and July 2012, for example, or anyone who used one of their clients’ ambulance services since 2006 or ……? Such information often helps the public figure out whether they might be at risk and should call the phone number provided if they did not receive a notification letter. Does ADPI know the answer to that question? If so, they should have provided it. If not, they should have said that at this time, they don’t know but will disclose that once their investigation is complete. Another question that is as yet unanswered clearly by ADPI is whether this employee had access to the computerized database or if s/he was copying from paper records that came across his/her desk. If it was theft/copying of electronic records, then there are a lot of other questions that I would ask, too, but until we know whether this was a breach of electronic or paper records, those questions may be premature. So… if you read ADPI’s statement about the breach and their notification letters, what did you think? What else should they have told people and what else should they have done, if anything?
As I had done with the Epsilon breach on DataBreaches.net, I’ve decided to devote a blog post to tracking organizations affected by the Advanced Data Processing (ADPI) breach. The San Francisco Chronicle reported that there were “27 agencies in 17 states whose patients may have had personal information stolen.” As you’ll see below, that does not appear to match what we know at this time. ADPI had informed me that the 17 states include: Arizona, California, Florida, Georgia, Kansas, Kentucky, Massachusetts, Maryland, Missouri, North Carolina, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, Tennessee and Texas. At the very least, we’re missing the affected Nevada organization or agency and we may be missing other organizations within some of these states. Use the comments section below to let me know about organizations or significant details to be added to this list. If you can, please provide links to the media sources you are relying on. We don’t need multiple media sources on each entity, so if there’s already a good media link, we don’t need more. Right now, most of the links are to substitute notices/press releases that simply name the agencies, so we’re missing a lot of details. If you have a breach notification letter that we haven’t seen already that you can scan in and share, that would be great, too. For organizations named in the media, press releases, or notifications to states, I am providing a link to the source. Where the number affected have been reported, I’m including links to that, too. The following list is in alphabetical order: Berkeley Fire Department 931 affected: “On October 15, ADPI notified the City that the personal information of 168 City of Berkeley ambulance customers had been inappropriately accessed. On November 21, 2012, after completing further forensic analysis, ADPI notified the City that the employee may have accessed an additional 763 customer records. ADPI notice to CA naming Berkeley FD (CA) Carlsbad Fire Department (CA) City of Altanta EMS (NHDOJ letter; see Grady entry, but are others in Atlanta affected?) (GA) City of Azle (TX) City of Berkeley (see Berkeley FD) (CA) City of Blue Springs (MO) City of Bonham Fire Department (TX) City of Casselberry (FL) Media City of Corona Fire Department ADPI notice to CA naming Corona FD (CA) City of Covington Fire Department (KY) 1548 City of El Centro (see El Centro FD) media report (CA) 1500 City of Gloucester (see Gloucester Fire Department) NHDOJ Notice 1286 Substitute Notice City of Los Angeles (see LAFD) (CA) City of North College Hill (FL) 555 HHS City of McAlester (OK) City of Omaha (NE) City of Overland Park (KS) (Notification, jpg) 911 City of Seguin Fire/EMS (TX) 800 839 HHS City of Valparaiso Fire Department (IN) 860 [Note: those affected by the breach were first notified in August, 2013] City of Victoria (TX) City of Yuma Fire Department (AZ) Media (FD) Cumberland County Hospital System dba Cape Fear Valley Hospital Health System (NC) El Centro Fire Department1500ADPI notice to CA naming El Centro FD (CA) First Response Medical Transportation Corp. (MD) (Media) 552 HHS Frederick County (MD) (Media) Gloucester Fire Department (Media correction) Grady Health Systems 900 (GA) Harris County Emergency Corps (TX) Los Angeles Fire Department 913: 26 definites, 900 possible Media ADPI notice to CA naming LAFD Okaloosa County EMS (FL) 715 Osceola County EMS (FL) Media 949 Sandoval County (NM) Sumner County EMS (TN) 745 (Media) 774 HHS Victoria Fire Department (TX) Village of North Palm Beach (FL) Washington County EMS (TX) 1300 1435 HHS
I was just reading that 900 patients who were treated at Grady Health Systems’ emergency care facilities may have had their data stolen by a former hospital contract worker. I thought it was yet another breach, but the Associated Press reports that the contractor worked for Advanced Data Processing Inc. Yes… the same company that I reported on here and it appears to be the same breach. The patients whose data were accessed were those who were transported by ambulance to the hospital’s emergency care facilities; ADPI handled the ambulance billing. The hospital’s statement differs from ADPI’s statement in one significant way, however. According to a hospital spokesperson, the illegal access/conduct by the employee occurred over a nine-month period – between mid-January to mid-October. The Atlanta Business Chronicle repeats those claims, reporting that the 900 patients (definitely) had their records copied and that the breach took place between January 15 and October 12. According to ADPI’s notification and statements to this blog, however, the breach first occurred on June 15 and ADPI learned of it on October 1 when law enforcement contacted them to alert them that there was a problem. I suspect we’ll be reading a number of contradictory reports for a while. If 17 states were notified about this breach, this could be really ugly in terms of hospital patients affected. ADPI notified HHS on November 28, as I noted previously. I wonder if we will ever get a full accounting of all of the hospitals affected and the total number of patients (hospital and non-hospital ambulance) affected. Update 1: I’ve e-mailed both ADPI’s spokesperson and Grady’s spokesperson about their conflicting reports on the time frame of the breach and will update this entry when I get responses. Update 2: Grady corrected their statement.