Two more medical groups notifying patients of Bizmatics security incident

Unbelievable. Entities are still first notifying patients of the Bizmatics, Inc. breach.

The North Ottawa Community Health System says it is erring on the side of caution following notification that the third-party electronic medical record company it uses for primary care patients might have had its computer servers breached.

NOCHS spokeswoman Jen VanSkiver said the local health system was notified that a software company called Bizmatics may have had an unauthorized user access its servers. The California-based company serves thousands of professionals and organizations across the world.

Read more on Grand Haven Tribune.

It’s not clear when Bizmatics first notified them, but they say they are notifying 20,000 patients. Of note, they say they stopped using Bizmatics three years ago – before the breach began. So what were the terms of their contract with Bizmatics that Bizmatics still had their data and on that server?

But NOCHS is not the only entity notifying patients this week because of the Bizmatics incident. Vincent Vein Center Grand Junction, P.C. is notifying 2,250 of its patient about the incident. Here is their statement from their web site:

Vincent Vein Center Grand Junction, P.C. (“VVC”) uses an electronic health record and practice management tool called PrognoCIS that is owned and operated by a third-party vendor, Bizmatics. Bizmatics recently provided VVC the attached letter indicating that a malicious hacker attacked Bizmatics’ data servers, which resulted in unauthorized access to Bizmatics customers’ records – ours included.

The PrognoCIS tool stores and organizes patient files, so the information that was potentially compromised is the medical record we maintain on you as a patient, such as health visit and treatment information, name, address, health insurance information, other identifying information, and, in some cases, a social security number. No credit card or financial information is stored in your patient file. Furthermore, as you will note in the letter from Bizmatics, Bizmatics has informed us that it has “no evidence that any
of [VVC’s] records were in fact accessed or acquired by unauthorized persons, posted online, or otherwise shared in a public manner”.

VVC takes this issue seriously and has been in contact with Bizmatics regarding its investigation and assessment of the situation. Bizmatics informed VVC that it has consulted with law enforcement and has hired an independent cyber forensics firm to investigate and assure the intrusion is contained and the affected systems are better secured.

As noted in Bizmatics’ letter, we have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. VVC is examining Bizmatics’ practices and determining whether a continued relationship with Bizmatics is appropriate. VVC will make every attempt to prevent further breaches.

We want to assure that your questions about this incident are answered so we have established a toll free number you can call to address your concerns. That number is 1-855-465-8882. You can also write us at 601 Center Ave, Grand Junction, CO 81501 or [email protected]

Despite there being no evidence that your records were accessed or that identity theft has occurred as a result of the incident, we have included the information enclosed as a resource for you. We sincerely regret that this incident has occurred and thank you for your understanding.

VVC’s notice and Bizmatic’s letter to them indicates that VVC was first notified in December 2015, and then again on March 30, 2016. There seems to be a long delay to notification of patients. I wonder what HHS/OCR will say about that, if anything.

About the author: Dissent

Comments are closed.