Mailed invoices from Mercy Health facility exposed patient identity info

Register now

A patient identity incident at Mercy Health Lorain (Ohio) Hospital shows that even though health information technology supports operations, other mistakes can expose data.

For the Mercy Health-operated facility, the mailed invoices created a breach of protected health information.

The breach occurred after a revenue cycle vendor mailed patient bills. The address window of the envelopes inadvertently exposed valid Social Security numbers.

Mercy Health learned of the breach in November from RCM Enterprise Services, a patient billing business associate. The vendor immediately launched an investigation to assess the nature and scope of the incident and undertook a comprehensive review of invoices that were mailed, and processes employed by RCM.

To date, Mercy Health and RCM have not found any actual misuse of patient Social Security numbers, according to a breach notification letter sent to patients.

Now, RCM executives say an unidentified credit firm will offer credit monitoring, identity monitoring and restoration services to patients, who also received information on protecting their personal information. Protective services generally are offered for one or two years.

The vendor declined to publicly say how many patients are affected by the breach but the number eventually will be posted on the HHS Office for Civil Rights’ data breach web site.

For reprint and licensing requests for this article, click here.