An 18-month data breach involving 15,000 patients at Upper Valley Medical Center in Troy allowed unauthorized access to patients’ names, address, hospital account number and balanced owed. No clinical information was accessible.
A legal notice published in area newspapers in late May said that the information may have been accessed through contractor Data Image’s online billing system. Hospital spokeswoman Gail Peterson said customers were informed of the breach in May by a letter from Data Image, which said one patient reported being able to see other patients’ data.
The letter also stated Data Image reloaded the online billing files to the correct accounts and filtered the billing statements to prevent unauthorized access.
The U.S. Dept. of Health and Human Services is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The UVMC breach involved unauthorized access/disclosure from October 1, 2010 to March 21, 2012.
“There was a technical programming error put in place 18 months (before it was discovered)” Peterson said. “The incident reported in March was the first time we learned of the program.”
Peterson added that reporting requirements were followed that allow for 60 days to gather information before notifying patients.
The breach wasn’t disclosed on the government website until July 3. Peterson said the health department was informed earlier than that.
“It wasn’t open to the public,” Data Image general manager Marty Callahan said of the programming error. “There was no breach outside of our walls. That went undetected until a singe patient notified us that they were able to see another invoice or bill. Callahan said he knew of no other instance where Data Image has been involved in a security breach.
“In closing, we acknowledge that it was our responsibility to you and Upper Valley Medical Center to protect your personal information,” Data Image’s letter concluded. “However, we have taken the appropriate actions to make sure this doesn’t happen again.”
Upper Valley Medical Center, which is part of Premier Health Partners, has used Data Image’s services since 2008. Data Image was founded in 1986.
Patients with questions may contact Data Image at UpperValleySupport@d-image.com or Data Image/Upper Valley Medical Center Support, 2345 Gratiot Rd. SE, Newark, OH 43055.