Ken Croken

Ken Croken

A website data security lapse committed by a subcontractor has led Genesis Health System officials to alert 1,164 former hospital patients that they may be at slight risk for identity theft.

The mistake occurred May 5 at a company called M2ComSys, which is a medical transcription firm. That firm contracts with Cogent Healthcare, which provides 12 physicians called hospitalists to the two Genesis Medical Center hospitals in Davenport and at Genesis Medical Center-Illini Campus, Silvis.

Genesis has no responsibility for the security lapse that could have made patient names and birthdates available over the Internet, but officials are concerned that some Quad-City area residents who are affected will have questions about the situation.

No Social Security numbers, credit or banking information were involved, said Ken Croken, a spokesman and vice president for Davenport-based Genesis.

What was involved was information about individual patient cases that was discussed between hospitalists and primary care physicians. This includes dictation of follow-up care information, or "care notes," for the patient's regular physician.

Those notes are transcribed by personnel from M2ComSys, the service subcontractor that Cogent employed. But a firewall was not established to securely protect the online information from May 5 to June 24, Croken said.

Information about a total of about 32,000 patients at 42 U.S. hospitals was involved.

Affected patients in this area — 1,164 people who were seen by hospitalists at the three Genesis facilities — will receive registered letters from Cogent Healthcare, based in Brentwood, Tenn., probably Saturday or Monday.

Genesis officials are concerned that individuals will not recognize the Cogent name and not understand why they have received the notice, Croken said.

"We did feel an ethical need to notify people," he said. 

Cogent will offer affected patients a complimentary one-year membership in Experian’s ProtectMyID Alert, the firm announced Thursday. The 12-month package includes $1 million in identity theft protection, daily credit bureau monitoring and a credit report, plus identity theft and fraud resolution resources. 

There is no evidence that any identity theft has occurred because of the security lapse, but officials cannot guarantee that it will not happen, Croken said, adding that the possibility is remote.

Genesis itself has never had a data security lapse, he emphasized.

"Consumers should expect that this information remains secure," he said.

Croken explained that the data security lapse falls under the Health Insurance Portability and Accountablity Act of 1996, better known HIPAA, and is governed by the federal Office on Civil Rights, which is part of the U.S. Department of Health and Human Services.

Genesis has had a five-year relationship with Cogent, and the future of that will be determined "in the not-so-distant future," Croken said, adding that there are competing firms that supply the hospitalist physicians who work mainly at large, metropolitan hospitals.

Cogent has ended its relationship with M2ComSys.