Advanced Data Processing, Inc.

On or around June 15, 2012, an employee of the covered entity (CE), Advanced Data Processing, Inc. (ADP), dba Intermedix, who had access to patients’ protected health information (PHI) as part of her job, inappropriately accessed the PHI of approximately 10,000 individuals and sold the information to third parties. An addendum to the initial breach report, submitted on April 3, 2015, expanded the breach to an additional 2,360 individuals. The PHI involved in the breach included patient names, social security numbers, addresses, dates of birth, claims, and other financial information. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice. Following the breach, the CE engaged a third party to review its network environment and make recommendations for security enhancements. It implemented data loss prevention technology to identify electronic PHI and block transmittal of sensitive information and a log management and analysis solution to automate collection, analysis, archival and recovery of log data. The CE implemented policies and procedures for disposal and reuse of mobile devices, as well as for the secure transport of sensitive information to, from, and between data centers. The CE also created an information security team and appointed a committee to address compliance. Additionally, the CE improved its employee training program and launched a vendor management program to ensure the safeguarding of ePHI by its business associates. OCR obtained assurances that the CE implemented the correction actions listed above. The CE also initiated upgrades to its data center security and workstation antivirus technology.
Location of breached information: Desktop Computer
Business associate present: No