On August 3, 2022, Methodist McKinney Hospital reported a data breach with various state government entities after the healthcare provider learned that an unauthorized party had gained access to its computer system and removed certain files containing sensitive patient data. According to Methodist McKinney Hospital, the breach resulted in the names, addresses, Social Security numbers, dates of birth, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information of certain patients being compromised. After confirming the breach and identifying all affected parties, Methodist McKinney Hospital began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Methodist McKinney Hospital data breach, please see our recent piece on the topic here.
What We Know About the Methodist McKinney Hospital Data Breach
The information about the Methodist McKinney Hospital data breach comes from an official filing with the Montana Attorney General as well as a notice posted on the hospital’s website. According to these sources, on July 5, 2022, Methodist McKinney detected unusual activity within its computer system. In response, the healthcare group secured its systems and contacted a cybersecurity firm to assist with the investigation.
The Methodist McKinney Hospital investigation confirmed that an unauthorized party was able to access the company’s computer network, as well as the networks of the related providers, Methodist Allen Surgical Center (“MASC”) and Methodist Craig Ranch Surgical Center (“MCRSC”).
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Methodist McKinney Hospital began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your name, address, Social Security number, date of birth, medical history information, medical diagnosis information, treatment information, medical record number, and health insurance information.
On August 3, 2022, Methodist McKinney Hospital sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Methodist McKinney Hospital
Founded in 2010, Methodist McKinney Hospital is a healthcare group based in McKinney, Texas. Methodist McKinney operates multiple locations throughout the greater Dallas area, including GTC McKinney, EDGE McKinney, MMH McKinney, Methodist Craig Ranch Surgery Center, EDGE Allen, GTC Frisco, Prosper Specialty Physicians, GTC Prosper, EDGE Frisco, GTC Plano, EDGE Plano, GTC Farmersville, GTC The Colony, GTC North Dallas and others. Methodist McKinney Hospital employs more than 263 people and generates approximately $31 million in annual revenue.
Was Protected Health Information Leaked in the Methodist McKinney Hospital Data Breach?
We know that the Methodist McKinney Hospital data breach affected sensitive patient information. And while Methodist McKinney Hospital did not mention the term “protected health information,” also referred to as PHI, in its data breach letter to patients, it appears that the leaked information included patients’ PHI.
Protected health information is any healthcare data that relates to a patient’s past or current health condition or how a patient pays or plans to pay for their healthcare. For example, the results of a blood test or CT scan, insurance claims information, or a list of a patient’s current medications could all be protected health information. However, healthcare-related data is not always considered protected.
Under HIPAA, healthcare-related is PHI if it contains one or more identifiers. Thus, if your lab results were leaked but did not contain an identifier, there would be no way for anyone to link those results to you, and the data would not be considered PHI. An identifier is an additional piece of information included along with the breached data that would allow someone to match the data to a specific patient. Common identifiers include patients’ names, physical or email addresses, physical addresses, photographs, fingerprints, or Social Security numbers.
The import of this is that, from a patient’s perspective, the fact that data is classified as protected health information means that anyone who comes into possession of the leaked data will have sufficient information to carry out healthcare identity fraud.
Healthcare identity theft is similar to other types of identity theft insofar as it involves an unauthorized person using the data for their own benefit. However, healthcare ID fraud is typically more difficult to resolve than other types of identity theft. This is because it often takes longer to straighten out due to the complexities of the healthcare industry.
Not only that, but unlike other forms of identity theft, healthcare identity theft can put patients’ health at risk. For example, cybercriminals often sell protected health information on the dark web. The person who buys the data likely does so because they are looking to obtain medical care in your name. Thus, pretending to be you, they go to the doctor to receive treatment, giving the provider your insurance information.
When the doctor asks the fake patient for any relevant information, they will provide the doctor with their own information. This can result in a situation where your medical record contains inaccurate information when you go to the doctor for treatment.
Victims of a data breach involving protected health information should be sure to take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.