NY: Martin Luther King Jr. Health Center learns of subcontractor's breach four years later, responds to breach admirably

The Martin Luther King Jr. Health Center (MLK)  in the Bronx, New York, recently notified 37,000 patients of a security breach that occurred in 2009. The incident was just added to HHS’s breach list today.

I was unable to find any media coverage of the breach, but found a notice on the center’s web site that was still prominently linked from their home page. It’s one that you will want to read in its entirety.

Potential Disclosure of Personal Health Information

Bronx-Lebanon Hospital Center
Dr. Martin Luther King, Jr. Health Center

On August 27, 2013, we learned that Professional Transcription Company (PTC), a company that was hired by us to transcribe dictated physician reports, had hired a subcontractor, Bahoo.net (Bahoo), which allowed certain transcriptions to be publicly available through Bahoo’s website and through certain search engines (e.g., Google). Upon investigation, it was determined that Bahoo failed to adequately secure its File Transfer Protocol (FTP) site allowing certain transcriptions to be viewable. The information in the transcriptions included patient names, type of treatment/procedure, diagnoses and dates of service, but did not include social security numbers, financial information, contact information or any other personal information in the patients’ medical records. As soon as the incident was identified, Bahoo closed its website and destroyed the hard drive so that the public could no longer view such personal information on the website. The unintended consequence of Bahoo’s decision to destroy the hard drive is that it is not possible to identify the specific dates the personal information was posted or whose information was publicly viewable. To be cautious, we notified by mail all patients whose information was sent to PTC over the past four years.In addition to taking these steps, Bahoo worked with the internet provider to prevent the transcriptions from being viewable in the internet search. We also hired a technical consultant to work with the other search engines to ensure the removal of any transcriptions that might still be viewable. Although no financial information was included, patients were advised that if they become aware of any suspicious activity in their accounts, they should report it to immediately to us.

If you have any questions or wish to make a report, please call us at the Call Center, 877-451-9361 (toll free), Monday through Friday, 9 am to 6 pm.

The security of patient information is critically important to us, as it is to our patients. We will continue to take all steps necessary to meet this goal and in furtherance of our mission of needed health care to the communities we serve.

The reference to Professional Transcription Service sounded familiar to me, and I did some digging and found out that the PTS breach had been reported on this site back in December 2010, after another one of their clients, Newark Beth Israel Medical Center in New Jersey, had reported the incident to HHS. The New Jersey hospital’s report did not mention Bahoo.net, so this is the first time we’re learning that it was their error. Interestingly, MLK did not seem to have named Professional Transcription Services or Bahoo.net in their computerized breach report to HHS, which means their names don’t show up on HHS’s breach list for this incident. To the extent that some people consider HHS’s public breach tool a “Wall of Shame” (I don’t view it that way), those responsible for the breach should have been names.

But why did other PTS clients find out about the breach in December 2010 but Martin luther King Jr. Health Center only find out in August 2013? Was it because Bahoo destroyed the hard drive before it was thoroughly analyzed?  If so, what an unfortunate over-reaction on their part.

Kudos to Martin Luther King Jr. Health Center for genuinely erring on the side of  caution to notify everyone in 4-year window. And I’m impressed that they even explained the FTP error on Bahoo’s part.

Finally, did anyone else note that MLK told patients to call them if they wish to make a report of suspicious activity on their account? When entities tell patients to call law enforcement, they put themselves in a position of not knowing if problems have occurred related to their breach, which also limits their ability to actually support the patient or help mitigate any harm.  By telling patients to call them, MLK demonstrated to its patients that it was there for them and cared enough to want to know if they experienced any difficulty as a result of the breach. I think it was a smart move on their part. And if law enforcement should be notified, the hospital’s call center staff can presumably instruct the patients to follow up by reporting the problem to the police.

About the author: Dissent