Documenting all the places
personal data goes.


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.

Debt collection agencies are business that pursue payments of debts owed by individuals or businesses. They can be either a subsidiary of the creditor or a separate, third party company hired by the creditor. A debt collector working for a provider has information on medical charges they are trying to collect from you.


Central Collection Bureau had a data breach in 2008, in Indiana. A computer server containing Social security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens gas & Coke Utility, St. Vincent Health and Methodist Medical Group. (700,000 records involved) [source].


EPN, Inc. had a data breach in 2012, in Utah. The FTC has fined EPN, Inc. for failing to implement reasonable security measures. The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks. The FTC claims that this failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law. EPNs chief operating office installed peer-to-peer file-sharing software on EPNs computer system and left patient information vulnerable to unauthorized access. Hospital patient Social Security numbers, health insurance numbers, and medical diagnosis codes were accessible on any computer connected to the peer-to-peer network. EPN was barred from misrepresenting the privacy, security, confidentiality, and integrity of personal information they collected. EPN was also required to undergo data security audits and establish and maintain a comprehensive information security program. (3,800 records involved) [source].


LV Financial Services had a data breach in 2010, in Florida. Dozens of boxes of files from medical offices that hired LV to collect unpaid bills were found in an Orlando public dumpster. The files contained names, addresses, Social Security numbers, drivers license copies and credit reports. The collection agency went out of business in 2005 and the location of the files prior to this incident is unknown. [source].


Metro Credit Services had a data breach in 2007, in Texas. Thousands of files from the defunct bill collection company containing medical records, phone bills and Social Security numbers were found in a trash bin. [source].


(return to health DataMap)

Copyright © 2012-2016 President and Fellows Harvard University.