RCM Vendor Discloses Security Incident that Published Patients’ SSNs

A revenue cycle management company has announced that it accidentally mailed invoices that displayed the Social Security numbers of the recipients of the invoices in the window portion of the envelope, instead of displaying the city, state, and ZIP code where the invoice was being mailed.

RCM Enterprise Services, Inc. notified its client, Mercy Health, which operates 23 hospitals across Ohio and Kentucky, in November. Mercy Health did not indicate how many invoices were sent with the protected information visible in the window of the envelope.

The invoices were mailed out between April and October last year.

As of yet, there is no indication of any misuse of the disclosed Social Security numbers, according to Mercy Health and RCM.

Along with notifying all individuals about the incident, RCM laid out a series of “proactive” steps that individuals can take to minimize any damage from the accidental disclosure:

  • Enrolling to receive the complimentary credit/identity monitoring and restoration services that RCM is offering to those impacted by the event. Instructions on how to sign up for the services are included in the Jan. 6 notice from RCM.
  • Monitoring financial statements carefully, and promptly contacting the appropriate financial institution upon detection of suspicious or unauthorized activity.  
  • Monitoring credit reports and Social Security benefit reports for suspicious activity.  
  • Placing a fraud alert or security freeze on one’s credit file.
  • Contacting the Federal Trade Commssion, one’s state Attorney General, or law enforcement, to obtain more information about protection against identity theft and to report suspicious or unauthorized activity impacting one’s identity and/or credit. 
  • Reporting incidents of suspected or actual identity theft or fraud to the FTC, one’s state Attorney General, or law enforcement. 
  • Monitoring for misuse of one’s Social Security Benefits.

A data breach at a medical collection agency that was disclosed last year was one of the largest data breaches of the year. The personal information of more than 24 million individuals was compromised as a result of that breach.

Check Also

HHS Fines City $202k For Allowing Ex-Employee to Download PHI

Forgetting to pull the plug on the access credentials of an employee who had been …

Leave a Reply

Your email address will not be published.