A revenue cycle management company in Pennsylvania has announced that the protected health information of nearly 18,000 individuals was compromised following unauthorized access to a company email account.
Healthcare Administrative Partners announced the breach earlier this week, but it actually occurred back in June. The company became aware of suspicious activity associated with one of the company’s email accounts. Once it uncovered the suspicious activity, the company changed the passwords on all employee email accounts and “enabled additional security controls in its email environment,” it said in a release.
The company hired a forensic expert to investigate the activity and confirmed that an unauthorized individual had accessed the corporate email account. The expert was unable to identify which emails or attachments were accessed, but in looking at what information was in the account, noted that the PHI of 18,000 individuals was present.
Among the information that was included in the account were: patient names, addresses, dates of birth, medical record numbers, doctor’s names, prescriptions, medical diagnosis or limited treatment information.
Following the investigation, the company announced it has taken the following steps:
- all passwords have been reset
- external emails are now labeled as external
- mailbox size restrictions and archiving requirements have been implemented
- evaluating options for multi-factor authentication
- retraining employees on recognizing and responding to suspicious emails
While there is no evidence to suggest that the personal information was misused, the company came forth in the interest of being fully transparent.
Healthcare Administrative Partners is based in Media, Penn., and provides medical billing, coding, and consulting services to healthcare organizations, especially those involved in radiology, pathology, and physician practices.