Amedisys, Inc. (NASDAQ: AMED) is currently in the process of notifying federal and state agencies as well as 6,909 individuals who may have had their personal information subject to a data breach.
Earlier this month, the Baton Rouge, La.-based home health and hospice provider reported the results of an extensive risk management process to locate approximately 142 encrypted computers and laptops belonging to former employees containing sensitive patient data.
Though Amedisys has no indication that external hacking into its network has occurred, and no evidence that any patients or former patients have suffered any actual harm, the company is reporting these computers as it is required to do so under law and because it cannot rule out unauthorized access to patient data on the devices.
“The confidentiality and security of patient information has been and will remain a top priority for Amedisys,” said Chief Compliance Officer Jeffrey Jeter in a written statement.
In a letter to its patients, the company affirmed that no reports of any hacking, fraud or identity theft have occurred as a result of the missing computers it had not been able to reconcile as of the February 23, 2015 completion of its inventory process.
The devices, which originally were assigned to Amedisys clinicians and other team members who left the company between 2011 and 2014, represent approximately 0.3% of the total number of devices Amedisys used during that time period, the company stated in a release.
All devices, Amedisys says, are “robustly protected” with 256-bit encryption, administrator restrictions and several other security protections designed to safeguard the personal and medical information of the company’s patients.
Depending on the device, the company said this information may include names, addresses, Social Security numbers, date of birth, insurance ID numbers, medical records and other personally identifiable data.
For these reasons, Amedisys is offering identify theft protection services to potentially impacted individuals, including credit monitoring, to protect against any possible harm that could arise from the incident.
“We have worked actively with leading risk management and technology experts to inventory and assess devices that may contain personal or health information and ensure the integrity of our information security systems,” Jeter said.
As part of this process, Amedisys has enlisted McLean, Va.-based Booz Allen Hamilton, a provider of management and technology consulting services, to assess and enhance its security and inventory systems and practices to ensure the protection of sensitive patient information.
Additionally, the company is also working with regulatory authorities such as the Office of Civil Rights-U.S. Department of Health and Human Services, which will review Amedisys’ compliance with applicable laws.
As for recent developments, a company spokeswoman told HHCN that there “continues to be no indication of wrongdoing or misuse of information.”
Cybersecurity experts and the media have dubbed 2015 “The Year of the Healthcare Hack,” saying that high-profile breaches affecting health companies such as insurer Anthem Inc. likely signal hackers’ increased focus on the industry. Senior living and home care companies are among the attractive targets, experts warn.
Written by Jason Oliva