BY JIM HALL
MediCorp Health System has offered hundreds of patients a free subscription to a credit-monitoring service after their private medical information was exposed online.
MediCorp, the parent company of Mary Washington Hospital, made the offer last week, nearly a month after patient data temporarily became available to the public.
Letters went to 760 people who had used the online registration system, said Mahogany Hart, spokeswoman for MediCorp. Many were maternity patients who had preregistered online for delivery of their babies at the Fredericksburg hospital.
Jina Haikey, MediCorp's privacy officer, told patients in the letter that the company has contracted with ID Experts, a computer security firm, to notify patients of any changes in their credit reports.
The one-year subscription is free to patients. It includes an insurance policy to cover certain losses, and help from a "recovery advocate" if patient data are misused.
Hart declined to say how much the offer will cost MediCorp. The bill will likely be in the thousands of dollars, depending on how many people accept it.
On its Web site, ID Experts sells a credit-watch family plan for $193.95 per year.
Rebecca Dennison, the person who first reported the security breach, said this week that she was surprised it took so long for MediCorp to respond. She received Haikey's letter last week.
"It makes it sound like they just heard about it," she said. "They've known about it for a month."
Dennison and her husband, Gary, live in Spotsylvania County and reported the problem to police on Oct. 11. Rebecca Dennison said she got a call that night from a stranger who said he was on the MediCorp Web site, reading personal information about her.
The man said later that when he went online to preregister his pregnant wife, he could read hundreds of files from other patients.
The man said 803 files were visible. The files appeared to be for people who had used the online registration service between Dec. 27, 2007, and Oct. 11, 2008, he said.
On a Web site set up by MediCorp and ID Experts, MediCorp explained the delay in notifying patients by saying that it took time to figure out what had happened and to decide what to do about it.
The exposed data included patient names, spouse names, addresses, phone numbers, Social Security numbers, birth dates, employer information and health-insurance information, according to Haikey's letter.
Haikey also described the man's entry into the computer system as an isolated event.
"We have been assured by this individual that he did not download, copy, distribute, save or otherwise utilize the information he accessed," Haikey wrote.
She said when MediCorp learned of the problem, it shut down the registration site and made sure the remainder of its computer system was secure.
She also said that the hospital has no evidence that anyone misused patient information.
"However, there is always some risk of unlawful use," she added.
The federal Health Insurance Portability and Accountability Act, or HIPAA, requires health providers to safeguard electronic patient data. It also prohibits the release of information without patient permission.
A spokesman for the U.S. Department of Health and Human Services declined yesterday to say whether the agency was investigating the MediCorp case.
Hart said the federal agency did not suggest that MediCorp make the offer to its patients.
"We just felt it was the right thing to do," she said.
Jim Hall: 540/374-5433
Email: jhall@freelancestar.com
| Consumers who believe they may be victims of identify theft can post a free warning with the three major credit-reporting agencies.
The fraud alert also lets users know if someone attempts to open a new credit account in their name. Experian, TransUnion and Equifax, the three nationwide consumer reporting agencies, offer the alerts. The U.S. Department of Justice defines identify theft as --Jim Hall |