32K patients' data breached due to downed firewall

A breach of protected health information of approximately 32,000 patients in 48 states was the result of a health IT vendor's firewall being down for more than a month, allowing, in some cases, for patient data to be indexed by Google.    

Cogent Healthcare, based in Nashville, Tenn., contracted with Las Vegas-based medical transcription and software vendor M2ComSys to transcribe care notes dictated by physicians. M2 stored protected health information on what was supposed to be a secure internet site, but the site's firewall was down. Access to the notes through the unsecured site began May 5 and ended when Cogent discovered the lapse on June 24. Patient data compromised included patients names, physician names, dates of birth, diagnosis description, treatment data, medical history and medical record numbers.   

In response to the HIPAA breach, Cogent Healthcare has terminated its relationship with M2ComSys and has taken physical possession of the hardware in use at M2. They are also in the process of ensuring that Google has removed all evidence of PHI from its files, according to reports.     

"We're just one of a couple dozen hospitals that had patient information unsecured," said Craig Cooper, spokesperson for Davenport, Iowa-based Genesis Health Systems. The PHI of 1,160 Genesis patients was compromised. According to Cogent officials, 32,000 patients seen at many of the company's physician groups in Arizona, California, Florida, Georgia, Iowa, Illinois, Kentucky, Massachusetts, Mississippi, Montana, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Washington and Wisconsin were affected by the breach. This is the second HIPAA breach for Cogent Healthcare, according to data from the Department of Health and Human Services.