Federal and state authorities investigate a data breach at Philadelphia-area ob/gyn practice

Federal and state authorities are looking into allegations that a Main Line Women’s Healthcare employee used a personal cellphone to capture confidential information from medical charts, potentially affecting more than 800 patients at the ob/gyn practice, which has offices in King of Prussia, Malvern, Plymouth Meeting, and Bryn Mawr.

The joint inquiry began earlier this month after Main Line Women’s Healthcare, run by Regional Women’s Health Group, reported the data breach to the U.S. Department of Health and Human Services and the Pennsylvania Office of Attorney General. The civil investigation probe is in its early stages and the employee’s motive remains unclear, authorities said.

“We are working closely with law enforcement and assisting in their investigation,” wrote Lorna Pate, chief compliance officer for Axia Women’s Health, the umbrella organization of the Main Line provider, in an Oct. 10 letter sent to affected patients and obtained by The Inquirer.

According to the letter, the employee had access to patient records, including name, date of birth, home address, medical account number, insurance provider, treating physician, medications, and diagnosis, while working for Main Line Women’s Healthcare from Feb. 7 to June 14.

Pate told patients in her letter that after learning about the security breach, supervisors suspended the employee, and launched an internal investigation “to determine what patient information may have been saved by this individual without authorization.” On Sept. 7, they determined which patients were affected, but didn’t notify them until Oct. 10.

Pennsylvania requires notification “without unreasonable delay.”

When asked about the time lag, Kelly Raible, Axia’s vice president of marketing, said in an email Thursday that it took time to work with authorities to “determine the full scope of the incident” and identify and verify current addresses for patients who “may have been impacted.” In all, 804 patients were notified, and the employee has since been fired, she said.

In the letter to patients, Axia’s Pate wrote that they’re reviewing the provider’s policies and procedures to identify any security gaps and “reduce the likelihood of a similar future incident.” As an added precaution, Pate said, Axia is offering complimentary credit monitoring for 12 months.

“We take this incident and the security of personal information in our care seriously,” Pate wrote.

Both Main Line Women’s Healthcare and Regional Women’s Health Group operate as Axia Women’s Health, with 400 providers at 200 locations. Axia has headquarters in Oaks and in Voorhees.

“Based on the comprehensive investigation performed, we are confident that this incident was isolated to Main Line Women’s Healthcare,” Raible said.

In 2017, Women’s Health Care Group of PA, which also operates under Axia, experienced a massive data breach, affecting more than 300,000 patients, as part of a ransomware attack.

There’s a hot underground market for stolen patient data, according to Alex Hamerstone, an expert on health-care security with TrustedSec, an Ohio-based consulting group. In fact, medical information is much more valuable to thieves than credit card numbers. Large amounts of patient data can be sold and used to commit medical fraud, including billing schemes, he said.

“There’s only so much you can do with a credit card before it gets flagged and shut down,” Hamerstone said. “The main reason why a criminal wants that medical record is to commit fraud so they can fraudulently bill insurers and create fake services.” Criminals can also use patient records to order medical equipment or obtain prescription drugs.

Hamerstone said many patients don’t look at medical service statements that come in the mail, although they should. He said it’s difficult to prevent an employee from using a cell phone to steal patient data.

“You can have all the protections in the world and all the data-loss prevention and controls and systems to see if you are losing data, but they can all be overwritten by somebody with a cell phone camera because you can just take pictures of your data,” he said.

Peter Fair, a spokesperson for the Attorney General’s office, said Main Line Women’s Healthcare patients or any Pennsylvania consumers who think they have been affected by this data breach can file a complaint online or by mail. To obtain a complaint form or ask additional questions, call 717-705-6938.