Add the ENT and Allergy Center in Arkansas to the list of covered entities notifying patients of a breach involving Bizmatics, Inc.
In a statement dated May 31, that is linked from their web site, Stephen Cashman, M.D., states that the practice was initially notified of the incident in January, 2016. But, “At that time, Bizmatics could not conclude that our patient records were among those that were accessed and had no reason to believe that the data that was compromised had been published or shared in any public manner.”
In early April, however, Bizmatics notified the practice “that at least some of our electronic patient medical records were potentially accessed and obtained by unauthorized persons. The information contained in the records that may have been accessed included patient names, addresses, health visit information, and at least the last four digits of the patient’s Social Security number.”
The unauthorized access did not include credit card number of financial and payment information, which are maintained on a separate system that is not related to Bizmatics or PrognoCIS.
As reported by other clients of Bizmatics, Inc., Bizmatics remains “unable to ascertain with any specificity which individual patient records, or which information within specific patient records, was specifically affected.”
The incident was reported to HHS as involving 16,200 patients.
By now, approximately one quarter of a million patients have been notified from the handful of Bizmatics, Inc. clients for whom we have information. But Bizmatics, Inc. has 15,000 clients. If all of them were affected – and we do not know that because Bizmatics, Inc. hasn’t issued any statement or answered questions – then this incident could affect well over 50 million patients. Now it may be that no patient suffers any concrete harm such as ID theft or fraud, but the cost of even just notifying all these patients and offering them credit monitoring services would likely be very costly.