Medical Management, LLC (MML)

Medical Management LLC provides billing services as a business associate (BA) for more than 30 medical facilities in various states, with BA agreements in place for each covered entity (CE). On March 16, 2015, the IRS notified the BA that one of its employees was involved in an identity theft ring. The employee confessed to the activity and was terminated. The BA determined that, during her employment, the employee had access to 30,556 patient’s records containing protected health information (PHI), including demographic information (names, dates of birth and social security numbers). The BA notified each CE of the breach, established a call center, sent letters to the potentially affected individuals on behalf of its CEs, offered credit monitoring and ID theft protection, sent media notice to 12 newspapers, and notified HHS. In response to the breach, the BA upgraded to an improved billing system with more security controls, masked social security numbers where appropriate, and retrained its staff. In addition, the BA implemented software for tracking and monitoring access and user activity, which is monitored by IT staff, in order to identify any abnormal access. OCR obtained assurances that the BA implemented the corrective actions listed above.
Location of breached information: Other
Business associate present: Yes