GREENVILLE, SC – Some patients of a cardiology practice at Greenville Health System have been affected by an incident at Ambucor Health Solutions, a national leader in remote-monitoring labor service for cardiac devices. Approximately 2,500 patients – or about one-fifth of the cardiac-monitored patients at GHS’ Carolina Cardiology Consultants – are affected and will be notified by Delaware-based Ambucor that some of their personal information was inappropriately downloaded by a former Ambucor employee shortly before his employment at Ambucor ended.
Ambucor officials, who have been working with law enforcement in the investigation, said they didn’t have any indication that the personal data had been misused.
The patient personal information did not include patient credit or debit card numbers, medical insurance or Medicare/Medicaid numbers, or other financial information.
Ambucor said the downloaded information may have included patient’s name, date of birth, home address, phone number, race, diagnosis, medications, testing data, patient identification number, medical device information (such as the manufacturer, identification number and model/serial numbers), Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s) and the name and address of the practice where the patient was seen. Ambucor has informed GHS of only one patient of Carolina Cardiology Consultants whose social security information was downloaded.
In July 2016, law enforcement authorities provided Ambucor with two flash drives that the former employee turned over to them after his departure from the company. In late September 2016, Ambucor completed a detailed forensic review of the flash drives, which provided additional information about which individuals had their personal information downloaded. Ambucor then began notifying affected providers, including GHS. Out of an abundance of caution, Ambucor will offer affected patients one year of identity protection services and, if necessary, related recovery services and $1 million of identity theft insurance at no cost. Affected patients should consider activating the identity protection services. Ambucor officials have also confirmed they are taking steps to prevent this type of incident from occurring again, including a thorough review of and updates to all HIPAA security processes.
Any third party that handles GHS patient information must contractually agree to implement and maintain adequate physical, technical and administrative safeguards to protect the confidentiality of that information.
“GHS and Carolina Cardiology Consultants take patient privacy seriously and deeply regret any inconvenience or concern this incident may cause our patients,” said Joseph Manfredi, MD, ambulatory director of electrophysiology.
Letters with instructions about activating the free identity protection services will be mailed to affected patients next week, said Ambucor. Affected patients with questions are urged to contact the Ambucor dedicated call center at (866) 313-7933 or call the GHS Privacy Office at (864) 797-7755.