Concerned? You should be! Who knows who possesses this data, but the company website that hosted that information should definitely be able to tell who accessed it and how many times over the 11 month period.
Who's to blame? If Stanford had a written contract with Multi-Specialty Collection Services to protect the privacy of protected health information, the fault appears to rest with Multi-Specialty Collection Services according to this HHS Article.
Especially interesting though, is this section on the Health and Human Services Website:
How Is This Information Protected
- Covered entities must put in place safeguards to protect your health information.
- Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
- Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately.
- Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
It begs the question - why is a diagnosis needed for a billing contractor? Is it necessary to have that information (diagnosis code) in order to collect payment due for services? If it was the company that submits information to the insurance carriers, most definitely it would need it this data. However, this company sounds like a collection agency that is engaged to contact patients after the insurance portion has been paid or for remaining balances. So, does this flip the blame toward Stanford for giving too much information to a contractor?
What do you think about this latest breach?