Their press release:
December 12 – Franciscan Physician Network of Illinois (FPN Illinois) and Specialty Physicians of Illinois, LLC (formerly known as Wellgroup Health Partners, LLC, “SPI”) are notifying patients of a privacy breach.
On November 21, 2017, it was confirmed that a limited number of boxes that contained 22,000 patient payment records could not be located in a shared record storage facility located in Chicago Heights, Illinois. The boxes contained records from 2010 and 2015-17.
After an earlier routine records request, records personnel searched for the requested materials and could not locate them which triggered a further inventory audit that discovered some of the boxes, but a total of 40 boxes of payment records could not be located.
While the continuing investigation has not revealed any evidence of foul play, officials have taken the added step of notifying law enforcement as a further precaution.
“We value patient privacy and deeply regret that this incident occurred,” said Craig Miller, SPI executive director. “We are conducting a thorough investigation to identify additional measures we can take to prevent similar incidents in the future,” he said. Claude Foreit , vice president of Franciscan Physician Network, stated, “Steps have been taken to improve safeguards for payment records, including bolstering physical security, updating our tracking system for paper records, and retraining employees responsible for handling these records.”
The affected records only include information relating to payments that were made in person either in the office at the time of service or in person at an FPN Illinois or SPI facility. Of those stored transactions, it was determined that payment records such as patient receipts, credit card receipts, and back-office accounting reconciliations were included in the boxes. The information included patient name, address, payment date, payment amount, payment method, office location and the last four digits of patient credit card numbers. No full credit card number was compromised in the incident. For a small subset of individuals who paid with a check, the records may contain the patient’s routing number, bank account number and social security number.
The payment records from 2010 may have also included patient date of birth, account number assigned by the facility, insurance ID number, diagnosis, type of visit, procedure code, provider name and address, dates of service and description of services performed.
Impacted individuals have been notified by mail and will be offered two years of identity theft protection services at no cost. Patients affected will also be encouraged to monitor their financial accounts, credit history, and Explanation of Benefits statements as extra precautions.
A dedicated hotline, (833) 295-7812, has been established to take patient questions related to this incident.