Information: Announcement regarding patient information M2 incident.
On August 8, 2013, the Privacy Officer at Cogent Healthcare, Inc. notified approximately 32,000 patients from across the United States that their protected health information (PHI) may have been accessed in a recent incident.
Cogent Healthcare manages various physician groups across the United States. The groups affected by this incident are:
Cogent Healthcare of California, P.C.
Cogent Healthcare of Washington, P.C.
Cogent Healthcare of Ocala, L.L.C.
Cogent Medical Care, P.C.
Cogent Healthcare of Texas, P.A.
Endion Medical Healthcare, P.C. d/b/a Endion SeniorCare
Cogent Healthcare of Montana, P.C.
Cogent Healthcare of Arizona, P.C.
Cogent Healthcare of Georgia, P.C.
Cogent Healthcare of Iowa, P.C.
Cogent Healthcare of New Jersey, P.C.
Inpatient Specialists of Southwest Florida, LLC
Cogent Healthcare of Kentucky, P.S.C.
Cogent Healthcare of Wisconsin, S.C.
Comprehensive Hospital Physicians of Florida, Inc.
Cogent Healthcare IPA of New York, Inc.
Cogent Healthcare of Brockton, P.C.
Cogent Healthcare of North Carolina, P.C.
Cogent Healthcare of South Carolina, P.C.
Cogent Healthcare of Daly City, P.C.
Cogent Healthcare of Jackson, MS, LLC
Cogent Healthcare of Pensacola, L.L.C.
Cogent Healthcare of Pennsylvania, Inc.
California Lung Associates
Cogent Healthcare contracted with M2ComSys (M2), a medical transcription company, to provide services to some of these physician groups. In connection with providing these services, M2 stored protected health information (PHI) on what was supposed to be a secure Internet site. A security lapse by M2, however, allowed some patients’ PHI to be accessed through that Internet site. M2’s job was to transcribe care notes dictated by physicians, such as when they discharged patients from the hospital. The access to these notes through the site began May 5, 2013, and ended following Cogent Healthcare’s discovery of the lapse on June 24, 2013. It involved care notes of approximately 32,000 patients from across the country. We are generally unable to identify who accessed the care notes. In some cases, the care notes were indexed by Google.
As soon as Cogent Healthcare discovered the lapse, the company took immediate steps to prevent further public access to patient files and began a full-scale investigation to determine how the incident occurred and to determine which data and patients were involved. The accessed care notes contained varying combinations of information, including patient name, physician’s name, patient date of birth, diagnosis description, summary of treatment provided and medical history, medical record number and related information. Copies of patient medical records and Social Security number were not included in the accessed records.
In addition, Cogent Healthcare has implemented security measures in an effort to minimize risk from any similar incident in the future. These measures include:
- Terminating our relationship with M2;
- Taking physical possession of the hardware in use at M2;
- Confirming with Google that it has removed all evidence of PHI from its files; and
- Initiating a security review of other Cogent Healthcare vendors who have access to PHI to confirm their security procedures.
Our organization takes information security and patient privacy very seriously. We deeply regret this situation and any inconvenience this may cause our hospital partners and their patients. Even though the information did not contain Social Security numbers, we are encouraging patients affected to take precautions to protect the security of their personal information. For example, patients should remain vigilant by reviewing account statements and monitoring free credit reports. Contact information for three credit reporting agencies is included at the end of this notice.
To help protect the identities of affected patients, we are offering a complimentary one-year membership of Experian’s ProtectMyIDTM Alert. This product helps detect possible misuse of personal information and provides affected patients with superior identity protection services focused on immediate identification and resolution of identity theft.
To learn more information or access credit monitoring services through Experian, affected patients can call the following toll-free telephone number between the hours of 9:00 a.m. to 7:00 p.m., Eastern Time, Monday through Friday: (877) 218-0052. Patients may be asked to provide the following ten-digit reference number when calling: 4298080513.
Credit Reporting Agencies:
1-800-685-1111 (credit report)
1-877-478-7625 (fraud alert)
P.O. Box 740256
Atlanta, GA 30374
P.O. Box 9701
Allen, TX 75013
1-800-888-4213 (credit report)
P.O. Box 1000
Chester, PA 19022
1-800-680-7289 (fraud alert)
P.O. Box 2000
Chester, PA 19022
- About Us
- Our Approach
- Partner With Us