• Printer Friendly Version
  • Decrease Text Size Increase Text Size
  • Download as PDF

Notice of Data Privacy Incident

Med-Data, Incorporated (“Med-Data”) recently experienced a privacy incident that may have impacted the protected health information (“PHI”) of individuals whose information was provided to Med-Data to assist with processing.  Med-Data provides revenue cycle services to hospitals, healthcare systems and their patients, including solutions for Medicaid eligibility, third-party liability, workers’ compensation, and patient billing.  All affected healthcare organizations have been informed of the incident.

What happened?

On December 10, 2020, an independent journalist informed Med-Data that some data related to its business had been uploaded to a public-facing website (“the Website”). On December 14, 2020, the journalist provided a link to the data, and Med-Data immediately launched an internal investigation to validate the journalist’s claim and discovered that a former employee had saved files to personal folders they created on the Website sometime during or before September 2019. The files were promptly removed on December 17, 2020. 

Med-Data hired cybersecurity specialists to assist in the review of the files to determine what information may have been included. Further review confirmed that the files may have contained PHI for patients whose information may have processed by Med-Data.  The cybersecurity specialists conducted an in-depth review of the files to identify PHI and extract contact information of potentially affected individuals.  On February 5, 2021, the cybersecurity specialist provided a list of impacted individuals whose PHI was impacted by the incident.  Healthcare entities whose patient’s data was affected were notified on February 8, 2021.  Letters were mailed to impacted individuals and appropriate regulatory agencies on March 31, 2021.     

What information was involved?

From our investigation, it appears that impacted information may have included individuals’ names, in combination with one or more of the following data elements: addresses, dates of birth, Social Security numbers, physical addresses, claims information, health insurance information, subscriber ID, medical condition, diagnosis, dates of service, and provider name.  

What is Med-Data doing?

Med-Data is offering impacted individuals credit monitoring and identity protection services through IDX at no cost.  Med-Data has also taken steps to minimize the risk of a similar event from happening in the future.  Med-Data implemented additional security controls, blocked all file sharing websites, updated internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution that provides 24x7 monitoring of our network, endpoints, and workstations.

For more information: To determine whether your information was impacted or for more information about this incident, please call 1-833-903-3647 Monday through Friday from 8 am – 8 pm Central Time, or visit the Med-Data website. Individuals can also contact the Federal Trade Commission at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261 or visit www.ftc.gov/idtheft/ for more information on protecting their identity.