Consumer Alert: GRIPA data breach letter — your questions answered

You have questions? We have answers. Many of you continue to reach out to us with concerns about a letter you got in the mail last week telling you your health information had been compromised.  And so, I thought it would be best if I address the most frequent questions in this Consumer Alert.

On Friday, many of you got a letter in the mail from the greater Rochester independent practice association, or GRIPA. For most folks, the letter said your name, address and health information has been compromised. And this raised alarm because you have not done business directly with GRIPA.  While you haven’t, your doctor or healthcare facility has.

GRIPA acts as a train conductor of sorts, coordinating patient health services for doctors and hospitals throughout our area. While GRIPA wasn’t hacked, it uses software called MOVEit that’s commonly used by about 2500 public and private companies. Russians hacked MOVEit and by doing so were able to steal information from government entities like the pentagon, the Department of Justice and private companies like GRIPA.

I got an email from a viewer named Frank, and many of you asked the same thing. Frank wrote, “You need to provide authorization before health info is given to someone. No one has ever heard of GRIPA; bet no one has given any authorization.”

That’s a great point.  As you know, your health information is protected by HIPPA regulations, so I looked up those regulations. And after a lot of reading, I found a section of federal code that says the privacy rule permits a covered entity, for example your doctor, to use and disclose your protected health information for treatment. payment. and healthcare operations activities.

That’s what applies in this case, “healthcare operations activities.” Because GRIPA coordinates healthcare services for your doctor or hospital, your protected information can be shared with them under the law. A number of you are also worried about signing up for the free credit monitoring that’s being offered. Have no fear. There are no strings attached. You don’t have to provide a credit card, and you will not be charged or forced to auto-renew.