IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Vendor Breach Raises Alarms for a North Carolina Health System

The Wake Forest Baptist Health-Lexington Medical Center announced that an unauthorized individual with a former vendor had gained access to one of its archived servers that included patient information in some backup files.

Digital patient records
Shutterstock
(TNS) — Wake Forest Baptist Health-Lexington Medical Center announced it has been notified of a data breach of one of its former vendors, Healthgrades Operating Company, that has put local patient information at risk.

On Jan. 29, Healthgrades notified Lexington Medical Center that an unauthorized individual gained access to one of its archived servers between Oct. 16 and Oct. 28 that included patient information in some backup files from the time it provided services to the hospital, according to a written statement released by Wake Forest Baptist Health.
 
Representatives for the hospital stated it has not received any indication that the information involved in the incident has been misused, but patients who may have been impacted will be mailed notices with further information.
 
The hospital stated, as of now, no patient data from Lexington Medical Center remains on Healthgrades systems. How many patients may have been exposed and how long ago these records were from was not provided by WFBH upon request.
 
"Lexington Medical Center cares about the privacy and security of its patients' information and takes this matter very seriously. As soon as LMC was notified, it immediately took steps to understand the circumstances of what took place and the information impacted," said the statement from WFBH.
 
Hospital representatives said the data breach was limited to Healthgrades systems only and did not involve any Lexington Medical Center systems or electronic health records.  In the past, Healthgrades had assisted Lexington Medical Center with patient and community education about health matters and services, according to WFBH.
 
Lexington Medical Center determined that the information contained in the archived files involved in the Healthgrades security incident varied by patient, but may have included patient names, addresses, demographic and contact information, dates of birth, LMC medical record numbers, Social Security numbers, dates of service, patient type (e.g., outpatient), limited health information — such as treatment and billing codes and their descriptions (which, in some cases, may indicate a diagnosis), names of physicians and their specialties, guarantor names, insurance type, insurance providers and/or cost of treatment information.
 
Lexington Medical Center is offering complimentary identity and credit monitoring services to patients whose information was involved. Healthgrades has also advised LMC that it has notified law enforcement of this incident and will cooperate with any follow-up investigation.
 
For any patients whose information was involved in the incident, LMC recommends that they review the statements they receive from their healthcare providers and contact the relevant provider immediately if they see services they did not receive.
 
Lexington Medical Center is offering resources to help support the patients whose information may have been involved. A call center has been established to answer any questions about this incident, which can be reached at 1-855-660-1531, Monday through Friday, from 9 a.m. to 6:30 p.m.
 
This is the second data breach involving a manage care organization working with a Lexington-based health care system.  On Friday a data breach was reported by PeakTPA, a manage care organization that works with Lexington-based Carolina SeniorCare.
 
Carolina SeniorCare provides home-based health services to seniors in Davidson, Rowan, Davie and Iredell counties. Carolina SeniorCare had 533 customers affected by the data breach, according to a news release. PeakTPA said patient data stored in two of its cloud servers were accessed in a ransomware attack that the company first became aware of on Dec. 31, 2020.
 
A third-party investigative agency discovered that the information accessed in the breach was patients' name, date of birth, address, social security number and diagnosis codes. All affected patients have been notified about the information breach, according to the news release. PeakTPA recommends that patients with compromised information review account statements and monitor free credit reports. Anyone who may have been affected by the security breach can contact PeakTPA at 1-855-761-0196 from 9 a.m. to 6:30 p.m. Monday through Friday.
 
©2021 The Dispatch, Lexington, Distributed by Tribune Content Agency, LLC.