Radiologist bypasses billing system computer security and acquires 97,000 patients’ info from NRAD Medical Associates – Update 4

Posting this here temporarily as phiprivacy.net is experiencing some problems.

Usually when I see an envelope from NRAD Medical Associates, P.C. in my mail, it concerns a radiology bill or insurance matter following services there. But today, I opened the envelope to find a breach notification.

Their notification, signed by their president, vice-president, and secretary-treasuresr, begins with the now somewhat pro forma statement about how they are seriously committed to the privacy and security of their patients’ information, which is why they want us to know of a security concern. Of course, at least part of the reason they are letting us know is because under HITECH, they have to. In any event, let’s get to the guts of their notification:

On or about April 24, 2014, it was discovered that an employee radiologist accessed and acquired protected health information from NRAD’s billing systems without authorization. This included some personal information, including patient names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes.

They do not indicate when the breach occurred or how it was discovered.

NRAD states that they have

no evidence that the information has been disclosed to or used by any third parties and have no evidence that your credit card, banking or other financial information was accessed. We believe there to be low risk to this incident, but any risk is unacceptable.

In response to the discovery, NRAD “immediately implemented enhanced security measures,” and recommended that patients contact one of the three major credit bureaus to place a fraud alert on credit reports.

They also established a toll-free number, and posted a copy of the notification and an FAQ on their web site.

In the FAQ, they state that the radiologist is “no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation.” The breach was also reported to HHS.

A call to their hotline requesting a police report number and asking how the breach was discovered required the hotline representative to forward my inquiry to others, who have yet to return my call after a few hours, so it is not clear whether they even reported this matter to the police [SEE UPDATE AT BOTTOM OF POST].  If they do return the call, I’ll also inquire as to when the breach occurred, and will update this post.

In terms of the scope of the breach, NRAD reports that it affects approximately 97,000 current and former patients, which they state is approximately 12% of the more than 800,000 patients they have treated over the past 20 years. It was not clear from their letter whether all 800,000 current and former patients’ information was still in their billing system (and if so, why). I asked the hotline representative whether there were 800,000 patients’ information in their billing system and she said there was.  I hope the hotline representative was wrong about that.

NRAD did not offer affected patients any free credit monitoring services [SEE UPDATE AT BOTTOM OF POST}. Given the types of personal information acquired, their failure to offer some free services is somewhat surprising and may come back to bite them in the way of lawsuits from unhappy patients who may now be worried about identity theft. Credit monitoring wouldn’t prevent medical identity theft, of course, and the notification letter does not suggest patients check their explanation of benefits statements from their insurers, so I’ll suggest it.

As a patient of NRAD, I have always been very happy with their medical services, and after a decade or more of reporting on breaches, I realize that pretty much any covered entity can experience a breach. But I also have enough experience to recognize when an apology, however sincere, and “we’ve  implemented enhanced security measures” are not enough in the way of mitigation. NRAD can and should do better.

 Update of June 24:  According to other media sources, the Nassau County District Attorney’s Office is investigating in cooperation with the Nassau County Police Department. So the incident was reported to law enforcement.  I still have not received a call back from my June 21st call to their hotline.

Update 2 of June 24:  ABC News informs me that NRAD now says they are offering credit monitoring.  I’ll update again when I get more details on that. Here was ABC’s coverage tonight, with a soundbite and some quotes from yours truly:

Update 3 of June 27: So, apparently you have to know to ASK for free credit monitoring, and anyone who doesn’t call and know to ask won’t get it. Wow.

Update 4: They are offering one year of credit-monitoring via an Equifax service – but only if you know to call them and request it. They will mail you the enrollment information and code you’ll need to sign up.

About the author: Dissent