Stolen Data Includes Patient Medical Information, According to Breach NotificationA Pennsylvania-based debt collector originally told regulators in April that a hacker compromised the personal identifiable information of 1.9 million people. Now the company says the data breach affected more than 4 million people and included patient medical information.
The real question is why a debt collector had patient medical information to begin with. That sounds like a massive HIPAA violation; Under HIPAA, debt collectors are only supposed to be given the bare minimum info to be able to collect the debt. Typically, that consists of the patient’s contact info, and how much is owed. They very rarely get any kind of supporting documents, because that would divulge too much info.
One of the fastest ways to get a medical debt collector to delete your debt entirely is to get them to slip up and mention that they have info regarding your diagnoses or treatments. As soon as they mention that they know what the bill is for, (for instance, saying it’s a bill for a heart surgery instead of simply saying it’s a bill from a heart surgeon’s office,) you can start threatening to sue and file HIPAA complaints. They’ll almost always agree to delete the debt if you agree not to sue. And even then, you should still make the HIPAA report regardless, because they can’t legally stop you from doing it and it’s one of the few ways to hold scummy debt collectors accountable.