Terminated employee continued to access Bon Secours' patients' billing information
When an employee is terminated, their login credentials to vendors’ databases with PHI must also be terminated. How often do you verify that it is actually being terminated properly?
Bon Secours Kentucky notified 697 patients that a former employee had improperly accessed their information from a billing database maintained by Athena. In a statement uploaded to their website, Bon Secours write:
In early April, 2014, during an audit of our billing data base, Athena, we identified suspicious access that prompted an investigation. Our investigation revealed that a user ID and password assigned to a former employee had been used to access information in the Athena system between April, 2013 and March, 2014. Our investigation determined that the information accessed with the user ID and password for the majority of patients included their name, date of birth and the last four digits of their Social Security number. A small group of patients had additional information accessed which included their name, dates and times of service, provider and facility names, patient account numbers (which may have included Social Security numbers), date of birth, and treatment information, such as diagnosis.
Due to the nature of the access, and out of an abundance of caution to protect our patients, we approached law enforcement, specifically the Secret Service, to assist us with our investigation. The Secret Service asked Bon Secours to delay notifying patients until their investigation was complete so as not to compromise their investigation. The Secret Service worked with Bon Secours to thoroughly investigate this matter and to determine if any patient information may have been used illegally. After discussions with the IRS Identity Task Squad, the Secret Service informed Bon Secours they found no evidence of criminal use of patients’ information at this time. The Secret Service advised on August 26 that we could send letters to affected patients.
As a precaution, we began mailing letters to affected patients on September 5 and are offering all eligible individuals one year free credit monitoring and identity protection services. We have also established a dedicated call center to assist our patients. If you believe you are affected by this matter, but have not received a notification letter by September 26, please call 877-683-9363 between 9 a.m. and 9 p.m. Eastern Time to speak with a call center agent.
We are deeply sorry that this has occurred. In response to this matter, we are working with our vendor, Athena, to ensure that all user IDs and passwords to their system are properly and permanently disabled when Bon Secours determines that an employee should no longer have access to information in the Athena system. We will continue to proactively monitor our systems to ensure that access to any protected health information is maintained in the most secure manner possible. We apologize for any inconvenience this may cause our patients.