Management and Network Services, LLC (“MNS”) has become aware of a data security incident that may have involved the personal and protected health information belonging to patients of post-acute providers to which MNS provides services. MNS has sent notification to the potentially involved providers and individuals to notify them of this incident and provide resources to assist them.
MNS provides some administrative support services to post-acute providers, and in connection with providing these services, MNS may receive information belonging to providers’ patients or individuals who were referred by but did not receive services from, a provider. On or about August 21, 2019, MNS confirmed that several employee email accounts may have been accessed without authorization at various times between April and July of 2019. Five (5) of the impacted email accounts were believed to contain personal or protected health information. In an immediate response, MNS took steps to ensure the security of its email system and began analyzing the email accounts to determine what information may have been affected. The analysis recently revealed that personal and protected health information for providers’ patients and individuals referred to providers for treatment was contained in the affected email accounts.
There is no evidence of the misuse of any information potentially involved in this incident. However, on March 5, 2020, MNS provided notification about the incident to the post-acute providers whose patients may have been impacted. On May 4, 2020, MNS also notified the individuals potentially involved in the incident who did not receive direct-provider notification and provided the information about the incident and steps they can take to protect their personal information.
Based on the investigation of the incident, the following personal and protected health information may have been involved in the incident: names, medical treatment information, diagnosis information or codes, medication information, dates of service, insurance providers, health insurance numbers, dates of birth and Social Security numbers. For a small number of individuals, affected information may also include Driver’s License numbers, State Identification Card numbers, and financial account information.
MNS takes the security of patient information very seriously and has taken steps to prevent a similar event from occurring in the future, including strengthening and enhancing password policies organization-wide and expanding the use of multi-factor authentication to all employees.