Physician’s Business Office notified 196,573 patients that their personal data and protected health information was likely stolen during a hack of its network five months ago. Based in West Virginia, PBO is a medical practice management and administrative services for healthcare providers.
PBO discovered unusual activity in its network environment in April 2022 and took steps to secure the network. An outside digital forensics and incident response firm was brought on to assist, which found data stored on the network was accessed “and potentially acquired without authorization” during the hack.
Under the Health Insurance Portability and Accountability Act, covered entities and business associates are required to report any breaches of PHI affecting over 500 patients within 60 days of discovery. PBO appears to explain the delay by its “diligent” review of the potentially impacted data to identify the patients and providers tied to the data, which concluded on June 30. Providers were informed on July 26.
Its explanation for waiting another three months before sending the official notice was the coordination with providers and working “to collect current mailing addresses for all potentially impacted individuals.”
The stolen data could include patient names, Social Security numbers, dates of birth, driver’s licenses, treatments, diagnoses, contact details, disability codes, prescription information, and health insurance account details. Patients will receive free credit monitoring and identity theft protection services.