What recently occurred at Lawrence Memorial Hospital regarding the online bill pay service?
On October 28, 2011, Lawrence Memorial Hospital learned that certain information maintained by Mid Continent Credit Services, Inc., d/b/a Blue Sky Credit, the hospital’s vendor for online patient bill pay services, was inadvertently made publicly available on the Internet between September 20, 2011 and October 28, 2011.
What types of information were involved?
Information potentially available included patient and payer names, address, phone, email, provider, payment amount, and date of payment. Depending on the type of payment, potentially available information also included credit card information or checking account information. This information was entered by the payer into the online bill pay system at www.lmhbillpay.com.
This event potentially affects individuals who have made online payments and patients for whom online payments were made. Individuals who made online payments for Health Fairs may be affected as well.
What types of information were not involved?
Payments made in person, in the mail, at a physician office or over the phone were not affected, with the exception of payments made using American Express. For patients’ convenience, American Express payments were processed through the online bill pay service.
Medical records, Social Security number and dates of birth were not included.
How did this incident occur?
The event occurred as a result of failed security measures during a system update on a website hosted by BrickWire LLC, which hosted the online patient bill-pay service on behalf of Mid Continent Credit Services. Improperly configured vendor website permissions potentially allowed external access for viewing online payment data entered by the payer.
How and when was this discovered?
On October 28, 2011, an individual called Lawrence Memorial Hospital to report that account information was accessible on an Internet search engine. The online bill pay website was shut down immediately upon learning this.
Why did it take a week to notify the public?
Initially, Mid Continent Credit Services reported that 28 individuals’ financial records were potentially involved and they sent letters informing those individuals.
LMH Information Technology staff investigating the incident determined that there was an insufficient audit trail to confirm this number, and the decision was made to expand notification.
We contacted the media on November 4, 2011 to alert them of the incident and took immediate steps to print and mail letters to potentially affected individuals.
How many accounts were potentially affected?
As a precaution, we are including all individuals who have made online payments and patients for whom online payments were made since 2005, when the online bill pay service began. Initially, we believed this number to be approximately 10,000. Further work eliminating duplicate names and multiple payments has narrowed the number to 8,275 people.
How did Lawrence Memorial Hospital resolve the situation?
Upon discovery of the event on October 28, 2011, LMH immediately notified Mid Continent Credit Services, which coordinated with BrickWire to immediately disable the system and implement measures to remove access to the information.We are continuing to follow up with Mid Continent Credit Services regarding the event, and are in the process of arranging for a new online payment system with a new vendor. On November 4, 2011, LMH notified the media about the event and to communicate the availability of the LMH Online Bill Pay Report Line and email for individuals to call or write if they had questions about the incident.
Letters were mailed on November 14, 2011 to 8,275 individuals potentially affected by this incident, and the hospital made a report to the U.S. Department of Health and Human Services.
Additionally as a precautionary measure, Mid Continent Credit Services has agreed to offer a free one-year credit monitoring subscription to affected individuals.
How can I contact Mid Continent Credit Services to request free credit monitoring?
Mid Continent Credit Services is offering a free one-year subscription to the LifeLock credit monitoring service to affected individuals. For details regarding this offer, please contact Ruben Chavez by calling (866) 621-6400 or by e-mailing firstname.lastname@example.org before December 31, 2011.
What is Lawrence Memorial Hospital doing to prevent this from happening again?
We will take any other measures determined to be necessary to prevent a similar event from occurring in the future, including vendor contract evaluation, Business Associate Agreements, review of Information Technology system specifications for vendors utilizing LMH data, among other actions.
How can we tell if our payment information was accessed?
We have no way of knowing if this information was used for improper payments outside of the LMH bill pay function. However, as a precaution, individuals who have made online payments and patients for whom online payments were made are being advised in a letter to be aware of any suspicious activity on their account statements and monitor their credit reports.
Who may we contact for any additional questions?
Individuals with questions about this event should call Lawrence Memorial Hospital at (785) 505-4945 or toll-free (800) 749-4144. This line will be answered during business hours, Monday – Friday, 8:30 a.m. to 4:30 p.m.
Individuals also may contact us by e-mail: email@example.com.
Individuals also may write the hospital at 325 Maine Street, Lawrence, Kansas, 66044, Attn: Privacy Officer.
Lawrence Memorial Hospital takes the privacy and security of patient information very seriously. We sincerely apologize for the inconvenience caused by this event.