A third-party debt collection agency, which acted as a business associate to a University of Chicago Physicians Group, encountered a breach under HIPAA and had to notify 1,400 individuals that their information was compromised.
The debt collection agency received a notice from an individual that a user on its website could view sensitive information relating to other debtors. This information included patient name, address, Social Security Number, date of birth, insurance policy information, diagnosis, among others. The agency conducted an internal investigation and confirmed the breach.
The agency made the required notifications to impacted individuals and the Department of Health and Human Services.