Over the past month, patients of New Mexico health care providers have begun to learn that some personal identifying information may have been accessed by unauthorized third parties.
This week, Albuquerque-based First Choice Community Healthcare Inc. announced that unauthorized access to its systems may have revealed personal and protected health information. In a statement posted to its website, First Choice said it is not aware of any misuse of information involved in the incident. However, the health care provider notified those who sought medical treatment or services at First Choice and may have been impacted so they can take steps to protect their information.
Affected data might include names, social security numbers, patient identification numbers, diagnosis and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth and provider information, according to the statement.
First Choice Community Healthcare learned of the incident on March 27 and then hired an independent cybersecurity firm to investigate the scope of potential access.
"The investigation subsequently revealed that certain personal and protected health information may have been accessed or acquired without authorization," the statement said. "We then initiated a comprehensive review of the potentially impacted data to determine the types of personal and protected health information involved and identify the potentially impacted individuals."
The process of determining the scope of the data breach was completed on June 3, according to the statement.
Les Rubin, First Choice Community Healthcare's interim CEO, said the provider then reported the breach to the Office for Civil Rights for the U.S. Department of Health and Human Services. He declined to say how many patients were affected.
When it comes to patient information stored by health care providers, federal law mandates that health care providers notify the HHS within 60 days if the data breach affects 500 or more people. If a breach affects less than 500 people, the provider must report it within 60 days of the end of the calendar year in which it was discovered.
Those reports then appear on a list that the HHS maintains. It shows provider-reported breaches that affect 500 or more people.
First Choice Community Healthcare has set up a hotline at 833-423-1900 for those with questions.
The provider's disclosure was first reported by The Albuquerque Journal. It comes just a few weeks after other New Mexico health care providers were included among a group of more than 650 clients believed to have been affected by an unrelated ransomware attack.
Professional Finance Company announced in early July that it had been the victim of a ransomware attack. The Colorado vendor provides payment and debt recovery services for health care providers. The attack might have exposed the personal identifying information of some people who visited those health care providers for services or treatment.
The ransomware attack could have affected more than 1.9 million people, according to the U.S. Department of Health and Human Services Office for Civil Rights data breach portal.
Professional Finance Company said it learned of what it called a "sophisticated ransomware attack" that disabled some computer systems on Feb. 26 of this year. An investigation showed that an unauthorized third party accessed files containing personal information.
The company said it notified health care providers in early May that accessed information might include first and last names, addresses, accounts receivable balances and information regarding payments made to accounts. In some cases, the accessed information might include dates of birth, social security numbers, health insurance details and medical treatment information
Several New Mexico providers appear on the list released by Professional Finance Company.
One of those is Santa Fe Imaging and Santa Fe Radiology, whose patients were contacted by Professional Finance Company as part of an agreement between the vendor and its clients, said Chance Barnett, an attorney at Krehbiel & Barnett PC in Albuquerque.
Barnett has represented the Santa Fe provider in other areas over the years, but he said this is the first cybersecurity incident he's worked with them on. He said the data breach — "to the best of our knowledge" — did not reveal any medical information of Santa Fe Imaging and Santa Fe Radiology patients.
"In general, third-party billing vendors don't see the medical records," he said.
TriCore Reference Laboratories also heard from Professional Finance Company in late February, the lab's director of strategic development and communications Beth Bailey said in an email. The Colorado company had contracted with TriCore to recover outstanding patient bills, and is handling all of the notification and mitigation related to this incident, she said.
PFC has set up a hotline at 844-663-3160 for people with questions or who want to enroll in free credit monitoring and identity protection services.
— This article has been updated with additional details about patient notification on behalf of New Mexico healthcare providers.
