Current and former patients of Barlow Respiratory Hospital have been notified of third-party security incident

Hospital beds with ventilator

A Los Angeles hospital that specializes in treating respiratory diseases says its patients’ personal data may have been exposed during a breach at one of its suppliers.

Current and former patients of Barlow Respiratory Hospital have been potentially impacted by the compromise of an employee email account at Healthcare Resource Group (HRG) in November 2019, according to a press release issued on April 7.

In a security alert Barlow Respiratory Hospital said that HRG, which provides medical billing services, handled patients’ information in managing Barlow’s referral process.

Breach timeline

The breach came to light on December 31 when HRG discovered that an email account was subject to unauthorized access between November 4-30.

HRG said it took immediate “steps to secure the email account” and promptly launched an investigation. HRG said it notified the hospital of the incident on March 11.

An audit of the email account’s contents, which concluded on February 27, found that potentially exposed information varied between patients but included: names, dates of birth, social security numbers, and driver’s license numbers; medical record, patient account, and Medicare/Medicaid ID numbers; and diagnostic, treatment, prescription, health insurance, and medical billing or claims information.

HRG said it had not yet uncovered any evidence that any compromised information had been misused.

The company said that it started notifying affected individuals on April 7. Affected patients have been offered 12 months of free credit monitoring and identity theft restoration services.

HRG’s notification letter, and the hospital’s security alert, have advised potentially impacted patients to regularly review account statements and monitor credit reports in case of unauthorized activity.

The hospital said “HRG is currently evaluating and updating, as appropriate, its privacy policies and procedures” and has “enhanced security awareness training among its workforce”.

HRG said it had notified the US Department of Health and Human Services (HHS) and relevant state regulators of the breach.

Founded in 1902, Barlow Respiratory Hospital is a non-profit healthcare provider with three facilities across California. The hospital is bracing itself for an influx of Covid-19 patients.

The Daily Swig has asked HRG and Barlow Respiratory Hospital for further comment, including the number of individuals potentially impacted. We’ll update this story as and when more information comes to hand.

RELATED Healthcare data breach: Medical device manufacturer discloses phishing attack