Verus, Inc. and patient privacy breaches
There have been no headlines naming Verus, Inc., but the company appears to be responsible for three recently reported hospital-related privacy breaches.
Verus, Inc. provides online patient financial services such as bill-paying, and other services. I first became aware of them when their name appeared in a story about a privacy breach affecting 550 patients at Stevens Hospital in Edmonds, Washington. The incident appeared in news on June 4, and a follow-up story on the incident in the June 6th Mukilteo Beacon reported that:
From mid-April until May 22, Internet users could directly access the information on servers at Bellevue-based Verus Incorporated, which has managed Stevens’ online bill-payment system since the service began in December 2006. That service is currently suspended.
[...]
After a firewall error opened up the Verus server, Google’s search engine catalogued the information stored there, making it accessible to anybody at google.com.
On May 22, an Edmonds woman inadvertently accessed the database while searching for information about a deceased friend. She immediately notified Stevens, according to CEO Carter.
Two days later, there was a story that 1000 patients were affected by a breach at Kennewick General Hospital in Washington:
KGH did not make the mistake, but rather Verus, a Bellevue company it hires to process online bill payments, did.
Although the story does not explain the details of the incident, the wording would be consistent with unintended web exposure.
And then one day later, yet another report — this one from Concord Hospital in New Hampshire — that 9,000 patients’ names, addresses, dates of birth and social security numbers were unprotected on the internet “for a period of time.†According to that report in the Concord Monitor:
A Washington-based company called Verus Inc. notified Concord Hospital May 30 that an unintentional lapse had occurred in the data security procedures when the company turned off a firewall for maintenance purposes.
I don’t know how many hospital clients Verus, Inc. has, but I wouldn’t be surprised if there are other hospital or health care facilities affected by this “firewall error” that we may find out about in the weeks to come. So far, I do not see any statement on Verus, Inc.’s web site.
Update of August 9, 2007: As noted in the comments to this blog, the fourth incident involving Verus, Inc. was reported in the media on July 24th, and involved St. Vincent’s Hospital in Indianapolis. Yesterday, Sky Lakes Medical Center in Klamath Falls reported the same type of problem as all the others, and they, too, cancelled their contract with Verus.
Update of August 15, 2007: Tim Wilson of Dark Reading is reporting that Verus has folded. His article pretty much confirms everything I had posted and speculated about here. And yes, I still think we’ll find out there are other hospitals affected.
Update of August 24, 2007: Two more hospitals have been revealed as being involved in the incident: Freeman Health System in Joplin Missouri and Holy Name Hospital in Teaneck New Jersey. I have also been in touch with a few other hospitals who say that despite Verus’s press releases, they had either not signed with Verus or had signed but had not yet gone live with any data when the security breach occurred. One hospital on my list has not been returning calls, and one re-seller will not divulge all of the hospitals who purchased the Verus vPAC system from them, so there may still be more to this story.
How can a firewall that is turned off allow internet traffic such as google access to the patient data?
Something is fishy with that explanation.
There’s much to wonder about here. I wonder why if Verus found out on or about May 22nd that they had a problem with Stevens, it took them until May 30 to notify Concord Hospital.
That’s apart from the issue of why they remained reportedly unsecured from mid-April until then without noticing the problem themselves.
I also wonder why so far, no one has been able to get a response from Verus. I had emailed them before I posted the blog entry, and email to the Media Relations address on their site bounced back. And I think I’ve seen reference that others’ attempts to reach them have been unsuccessful in getting Verus to return calls on this breach.
So… how many other hospitals might there be that are affected, and will Verus be investigated by CMS under HIPAA provisions, and will they face not only loss of contracts from hospitals — as has apparently happened already — or will they also face investigation and possible fines by state attorneys general (in addition to any civil suits that might be filed)?
Clearly, I intend to keep watching this matter.
They did it again – at St. Vincent’s hospital in Indianapolis. Wonder if it’s intentional. They are probably getting paid to feed the information to someone.
I don’t think it’s intentional. I think they screwed up royally and all of their clients are probably affected, but we’ll have to wait for more disclosures and information.
I work network security for a hosptial and my main concern is the vendors and web applications used that are just waiting to be exposed like this. This company needs to be made an example for all. HIPAA has been around a long time and ignorance of the law is no excuse. They HAD to know they needed to protect that information.
U Pitt Medicine and Harvard also had problems with vendors’ apps exposing medical/health-related info on patients.
Wonder what happened to Verus’s web site…. and how many more of their clients we’ll learn also had this problem. Four and counting…
Now 5. See update to main post.
I was wondering what if any, recourse we may have in regards to the recent Verus, Inc. and patient privacy breaches? Are we as consumers just suppose to roll over
and accept this as business as usual? Is there any accountability? Maybe it is time for a class action suit
in order to send a message that we as consumers will no longer tolerate,the oops! were sorry about that attitude
when it comes to our private information.
Thanks MM
I don’t think that Verus has even issued any public “oops!” or apology statement. Their web site is gone, too.
As to recourse, I’m not a lawyer, but I don’t remember ever seeing any class action lawsuits prevail, although there’s that recent Bank of America settlement offer on a lawsuit that was started eight years ago.
Dan Solove, who is a privacy lawyer, may be able to identify a different and more successful approach, e.g., by making a claim based on a different law or something.
The courts are not the only route, though. The FTC and states attorney generals can file actions against businesses for not taking adequate privacy protections, and they’ve actually done so in a number of cases. The Texas AG has made news recently for filing a number of such suits against businesses who engaged in improper disposal of records or confidential information. The FTC has also fined businesses who promised online security and failed to deliver on that promise.
Then there’s also the HIPAA route. I wonder if any of the affected folks have filed a formal HIPAA complaint against Verus for violation of the HIPAA Security Rule. Not that HHS would do anything other than maybe make them change their procedures, but I would still take the time to file the complaint as it’s pretty easy to do.
I don’t want to discourage you from taking action, because I agree with you that something needs to be done. I just don’t know which route(s) are the best or most effective way to go. If a business is concerned about its reputation, you’d hope that bad press would be a deterrent or punishment, but every month, TJX is reporting retain sales gains, so I’m thinking bad press isn’t enough.
I would suggest you contact some reputable attorney like Solove to get an idea of whether it’s worth it. I don’t know if he actually litigates, but he’d probably be able to give you some sense of where to go and what the issues or pitfalls might be.
And please let me know if you do something about Verus, Inc.
I want to thank you for all your help in regards to Verus.I will keep you updated on future developements.
Thanks again MM
Update of August 15, 2007: Tim Wilson of Dark Reading is reporting that Verus has folded. His article pretty much confirms everything I had posted and speculated about here. And yes, I still think we’ll find out there are other hospitals affected.
Update of August 21, 2007: Freeman Health System in Joplin Missouri confirmed to me that they were also part of the incident. More details should be released by the hospital shortly, but according to a hospital spokesperson, they notified affected patients by letter after discovering the problem.
I am just getting wind of this whole story. I used to be the Vice President of Verus. The VPAC platform was just in it’s infancy when I left. I am speechless! I have been in healthcare for fifteen years and this is sad for everyone. All that pt. information on Google no less. I own a business in healthcare now and everyone had better dot the i’s and cross the T’s when it comes to HIPAA. I knew the owner very well along with several of the employees and I can’t imangine everyone just vanished. No one wins here. 100,000 people with PHI floating around and 20 or 30 employees/families with no job as a result.
I am still debating asking HHS/CMS to launch an investigation on this whole debacle. Out of all of the hospitals who disclosed the incident and the hospitals that I spoke with who didn’t initially disclose, only one reported that the transmissions were encrypted (and one other hospital said that most of their files were empty and the one that was not empty had no PII in it).
Considering that this was an online payment system, I am wondering what the heck the rest of these hospitals were thinking by not using encryption.
Nor can any hospital whose unencrypted records were cached by Google, Yahoo, or any other search engine really be sure whether the data were accessed unless they obtain every search engine’s logs.
Should an online payment system like VPAC require encrypted transmissions even if a client doesn’t think that HIPAA requires it?
One of the reasons I kept hammering at the Verus incident is because I fear that people will not learn a lesson from it.
If any of the principals involved in the mess would like to post a statement or explain, I’d welcome hearing from them.