Health information on 32,000 patients across 48 states was exposed when a medical transcription contractor left a firewall down, according to an article in The Tennessean newspaper.
M2ComSys of India contracted with Nashville, Tenn.-based hospitalist and intensivist company Cogent Healthcare to transcribe care notes dictated by physicians. It was supposed to store protected patient health information on a secure website, but its firewall was down between May 5 and June 24, when Cogent discovered the problem. It was the second HIPAA breach for Cogent, according to U.S. Department of Health and Human Services records.
Compromised patient information includes patients' names, dates of birth, diagnosis description, treatment data, medical history and medical records numbers, according to HealthData Management. Patients' complete medical records and Social Security numbers were not included.
Cogent has severed its relationship with M2ComSys, taken physical control of the hardware involved and confirmed with Google that all the information was removed from its files. It also has undertaken a security review with all its vendors.
Cogent is offering affected patients one year of paid identity protection services from Experian.
With new HIPAA regulations going into effect Sept. 23 that assess penalties on business associates and their subcontractors, those security reviews are taking on added importance.
A case study at HealthcareInfoSecurity recently outlined the efforts of North Carolina's CaroMont Health to track down all its business associate contracts.
Security experts say an increasing number of health data breaches are no accident and chide hospitals and practice groups for failing to take action until after a breach occurs.
Ninety-four percent of the 80 participating healthcare organizations polled by the Ponemon Institute had experienced at least one data breach that they were aware of in the previous two years. Those breaches cost organizations a total of $6.78 billion annually.