Nearly 136,000 patients may have had personal and health data exposed by a former employee of revenue-cycle management company Med-Data, according to the company.
The data breach may have exposed data on an estimated 135,908 patients, according to a report that Spring, Texas-based Med-Data submitted to HHS' Office for Civil Rights April 1. The HHS agency publicly posted the report to its online database of healthcare data breaches in an update this week.
In December, a journalist with blog DataBreaches.net alerted Med-Data that claims data related to its business had been uploaded to the website GitHub.
After an internal investigation, Med-Data determined a former employee had saved files with patient data to personal folders in public repositories they created on GitHub, an open-source code repository and software development platform, sometime between December 2018 and September 2019.
The files included data that hospital customers had shared with Med-Data as part of its revenue cycle services and may have included names, addresses, dates of birth, Social Security numbers, diagnoses, dates of service, medical procedure codes, provider names or health insurance policy numbers.
Med-Data said the files were removed from the website on Dec. 17.
A cybersecurity specialist hired by Med-Data provided a list of patients whose data was exposed in the data breach to the company on Feb 5. Med-Data reported the data breach to OCR in April; HIPAA-covered entities are required to notify the office within 60 days from when they discover a data breach.
Med-Data said it mailed letters to patients affected in the data breach on March 31.
Med-Data has since blocked file-sharing websites, updated internal data policies, and implemented a security operations center, detection and response tool that monitors its network, and other security controls, according to a notice the company posted online.
The notice doesn't specify how many hospitals and health systems had patient data affected by the data breach but said Med-Data notified such customers Feb. 8.
AdventHealth Shawnee Mission in Merriam, Kan.; Hospital Sisters Health System in Springfield, Ill.; Memorial Hermann Health System in Houston; OSF HealthCare in Peoria, Ill.; SCL Health in Broomfield, Colo.; University Health in San Antonio and University of Chicago Medical Center are among the healthcare organizations that have said they were affected in the data breach.