James D. Wolf Jr. of the Post-Tribune reported today that up to 860 patients who used the City of Valparaiso Fire Department ambulance service last year would be receiving breach notification letters from ADPI.
And yet it seems that individuals whose data were compromised for at least one city/client are first finding out now. Why the delay if the employee was arrested last year and pleaded guilty? Why weren’t affected Valparaiso residents notified last year?
After some digging, I finally located the city’s notice concerning the breach, and therein lies the explanation – of sorts:
This notice is provided by the Valparaiso Fire Department (the “Ambulance Agency”) concerning a data breach incident affecting records of a number of Ambulance Agency patients. Advanced Data Processing, Inc. (the “Company”) manages billing for the Ambulance Agency and on July 16, 2013 the Company learned from the Internal Revenue Service that certain patient records connected with the Ambulance Agency may have been improperly accessed. Accessed account information included name, date of birth, Social Security number and record identifier, but no medical information was accessed.
So ADPI never figured out all of the data that was accessed by the former employee, it seems, and only found out last month when the IRS contacted them. The fact that the IRS contacted them suggests to me that the data of at least some residents of Valparaiso was misused as part of the tax refund scheme although ADPI says it does not know whether any data was misused. The fire department’s notice continues:
By way of background, this past Fall the Company was notified by law enforcement in Tampa, Florida (on October 1, 2012) that a now-former employee of the Company illegally accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Based on the information available to the Company after a thorough internal and external forensic review, it appears that only patients who had ambulance transports during the period January 1 through June 21, 2012 would be potentially affected.
I think one can reasonably question any claim that there was a “thorough” forensic review if ADPI’s review did not reveal that up to 860 residents of Valparaiso may have had their data accessed.
When the Company first learned of this incident the Company had no reason to believe that any account information of the Ambulance Agency had been accessed.
Then that strikes me as a failure of their monitoring or auditing protocols.
The employee was apprehended by authorities, immediately terminated by the Company, pleaded guilty to charges brought against her, and is now awaiting sentencing.
Based on the additional information that was recently provided to the Company by the IRS, however, the Company and the Ambulance Agency have learned that account information of some patients of the Ambulance Agency may have been among the information that was accessed by the former employee. Although it is not known whether any of such information was actually misused, because this cannot be ruled out, this notice is being provided out of an abundance of caution.
“Abundance of caution?” An abundance of caution would have been to notify every person who used a service that was a client of ADPI’s during the time period in question. Notifying people after there is already evidence of misuse of at least a portion of the data is not any kind of “abundance of caution.”
Update: ADPI’s press release just showed up in my newsfeed. You can read it here.