Firewall error by M2ComSys exposed 32,000 patients' information (Update 1)
A vendor’s firewall error has resulted in approximately 32,000 patients in 48 states being notified that some of their protected health information was exposed on the Internet. The vendor was medical transcription service M2ComSys, contracted by Cogent Healthcare. The latter provides physicians called hospitalists to hospitals operated by Genesis Health Systems. Neither Genesis Health Systems or Cogent Healthcare were directly responsible for the breach, which occurred when the vendor’s firewall was down between May 5 and June 24.
Deirdre Cox Baker reports on the local impact in Iowa, where 1,164 patients are being notified:
No Social Security numbers, credit or banking information were involved, said Ken Croken, a spokesman and vice president for Davenport-based Genesis.
What was involved was information about individual patient cases that was discussed between hospitalists and primary care physicians. This includes dictation of follow-up care information, or “care notes,” for the patient’s regular physician.
Getahn Ward reports from Tennessee, where fewer were affected. He explains:
The accessible information included care notes with varying combinations such as physician’s name, patient date of birth, diagnosis description, summary of treatment provided, medical history and medical record number, but it didn’t include copies of the patients’ medical records or Social Security numbers, the company said.
Cogent is providing notification to affected patients and is offering them a year of credit monitoring services, even though it is not aware of any records being accessed or misused.
The firm has terminated its contract with M2ComSys.
Update 1: A template of Cogent’s notification letter to patients was submitted to California, and is available here. The letter explains, in part:
Cogent Healthcare, Inc. also began a full-scale investigation to determine how the incident occurred and to determine which data and individuals were involved. The care notes were first accessed on May 5, 2013. Access to the site ended on June 24, 2013. We are generally unable to identify who accessed the notes. In some cases, the notes were indexed by Google.
In addition to the forensic investigation, Cogent also took other steps:
We have ended our relationship with M2 and taken physical possession of the hardware held by M2 that stored our PHI. We have confirmed with Google that it has removed all evidence of PHI from their files. We have initiated a security review of other Cogent Healthcare, Inc. vendors who have access to PHI to confirm their security procedures.
In an attachment to the letter, Cogent lists all of its entities that have been impacted by the breach:
- Cogent Healthcare of California, P.C.
- Cogent Healthcare of Washington, P.C.
- Cogent Healthcare of Ocala, L.L.C.
- Cogent Medical Care, P.C.
- Cogent Healthcare of Texas, P.A.
- Endion Medical Healthcare, P.C. d/b/a Endion SeniorCare
- Cogent Healthcare of Montana, P.C.
- Cogent Healthcare of Arizona, P.C.
- Cogent Healthcare of Georgia, P.C.
- Cogent Healthcare of Iowa, P.C.
- Cogent Healthcare of New Jersey, P.C.
- Inpatient Specialists of Southwest Florida, LLC
- Cogent Healthcare of Kentucky, P.S.C.
- Cogent Healthcare of Wisconsin, S.C.
- Comprehensive Hospital Physicians of Florida, Inc.
- Cogent Healthcare, Inc.
- Cogent Healthcare IPA of New York, Inc.
- Cogent Healthcare of Brockton, P.C.
- Cogent Healthcare of North Carolina, P.C.
- Cogent Healthcare of South Carolina, P.C.
- Cogent Healthcare of Daly City, P.C.
- Cogent Healthcare of Jackson, MS, LLC
- Cogent Healthcare of Pensacola, L.L.C.
- Cogent Healthcare of Pennsylvania, Inc.
It’s a very impressive breach response and notification letter.