The medical billing company Medical Management, LLC (MML) recently began notifying an undisclosed number of emergency room patients at various hospitals that their personal information may have been inappropriately accessed by a former MML employee.
"Federal law enforcement authorities informed MML on March 16, 2015 that a call center employee of MML who was authorized to work within MML's billing system copied certain items of personal information from that billing system and disclosed this information to a third party," MML stated in a notification letter [PDF] to those affected.
The employee, who worked for MML from February 2013 to March 2015, was fired as soon as MML learned of the criminal investigation.
"The personal information that was disclosed by this employee included names, dates of birth and Social Security numbers," MML added. "There is no indication that any information about medical history or medical treatment/services provided was disclosed."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
All those affected are being offered one year of free access to identity theft protection services from Kroll.
There's no list of affected hospitals available at this point, though the following hospitals have issued statements regarding the breach:
- New Jersey's Englewood Hospital and Medical Center announced that some patients of Emergency Physicians of Englewood PC, Teaneck Emergency Physicians PA, and Valley Emergency Room Associates PA may have been impacted by the breach.
- New Jersey's Holy Name Medical Center says an undisclosed number of its emergency room patients may be affected, SC Magazine reports.
- New Jersey's The Valley Hospital says some of the patients treated in its emergency room by Valley Emergency Room Associates may have been affected. "Valley Emergency Room Associates is an independent emergency physician group that is not owned by The Valley Hospital or Valley Health System," the hospital stated.
- New York's White Plains Hospital announced about 1,100 people treated at its emergency may have been affected, The Journal News reports.
- Pennsylvania's Conemaugh Health System says an undisclosed number of emergency room patients at Conemaugh's Memorial Medical Center, Meyersdale Medical Center and Miners Medical Center may be affected. "While this breach did not happen within the Conemaugh Health System and did not involve any Conemaugh employees, we regret that it has impacted our valued patients," Conemaugh stated.
- Pennsylvania's Grand View Health says an undisclosed number of its emergency room patients may be affected. "Grand View Health sincerely regrets this unfortunate incident as we consider the privacy of personal information to be of the utmost importance," the hospital said in a statement.
- Pennsylvania's Jefferson Hospital says approximately 800 people treated at its emergency department may have been affected.
- Pennsylvania's University of Pittsburgh Medical Center (UPMC) says about 2,200 people who were treated at various UPMC emergency departments may have been affected. "We hold our vendors to the same high privacy standards that we have for ourselves," UPMC vice president of privacy and information security John Houston said in a statement. "Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners."
John Gunn, vice president of communications at VASCO Data Security, told eSecurity Planet by email that the MML breach demonstrates how the market for stolen data is being transformed. "Social Security numbers have become the primary high-value target that hackers are after, because they are worth 10 times as much as credit cards and they are protected by a fraction of the security of banking assets," he said.
"Perhaps more significant, we can see firsthand how secondary markets for stolen information have matured so much that regular individuals now have access and can readily sell stolen data such as Social Security numbers and credit cards -- the darknet is evolving into a Craigslist for stolen assets," Gunn added.
As a result, Secure Channels CEO and co-founder Richard Blech said, insider breaches like these are now commonplace. "The black market value of stolen customer data is fluid and high, and the payoff for the insider is just too tempting," he said. "Institutions know this, yet believe that they either don't need to protect the data or that they sufficiently have at the perimeter."