Cogent Healthcare, Inc., which manages several physician groups throughout the United States, recently began notifying approximately 32,000 patients of physicians in 24 such physican groups that their personal health information (PHI) may have been exposed online (h/t FierceHealthIT).
The company had contracted with the medical transcription company M2ComSys to transcribe patient care notes for some of its physician groups. M2ComSys then stored those notes, which included patients’ names, birthdates, diagnoses, summaries of treeatments provided, medical histories, medical record numbers, and physicians’ names, on a Web site that was supposed to be secure.
A security lapse by M2ComSys, however, apparently exposed some of those notes to online access.
“We are generally unable to identify who accessed the notes,” Cogent Healthcare senior vice president LeToia Crozier wrote in the notification letter [PDF]. “In some cases, the notes were indexed by Google.”
The breach was discovered by Cogent Healthcare on June 24, 2013. The company then took action to prevent further access to the notes and investigated how it occured. The notes were first accessed on May 5, 2013, and access to the site was blocked on June 24, 2013.
All those affected are being offered a free one-year membership in Experian’s ProtectMyID Alert service.