Vendor partner exposes data of 650K Bon Secours patients

Bon Secours Health System in Virginia is notifying more than 650,000 patients of a data breach after a business associate inadvertently made protected health information accessible via the Internet.

The vendor, R-C Healthcare, was adjusting computer network settings in April and inadvertently made files accessible for four days in April, before Bon Secours discovered the files and had R-C Healthcare remove them.

R-C Healthcare is a hospital Medicare wage index consultancy that helps generate revenue by optimizing data reporting.

Protected information at risk included patient names, health insurers, health insurance numbers, Social Security numbers, a limited amount of bank account information, and limited clinical information.

Bon Secours did not respond to a request for additional information. The local CBS affiliate reports that the organization is offering one year of credit and identity theft protection services to consumers potentially affected by the breach.

Bon Secours has experienced three previous and considerably smaller breaches, all of which have been posted on the federal government’s web site of health care breaches affecting 500 or more individuals.

Those incidents include:

• The theft of electronic health records data in May 2013 that affected 5,764 individuals.

• The unauthorized access and disclosure of unspecified data in September 2014, affecting 696 individuals.

• The unauthorized access and disclosure of EHR data in October 2015, affecting 1,997 individuals.

For reprint and licensing requests for this article, click here.